Hacker News new | past | comments | ask | show | jobs | submit login
LulzSec indictment published (scribd.com)
84 points by fpp on March 9, 2012 | hide | past | favorite | 64 comments



Ugh. Not downloadable (unless you want to download each page individually by saving it as an image), and it keeps giving me one of those shaking "Congratulations! You have WON!" banners.

Here's a site with these indictments as downloadable PDFs and without the annoying shaking ad: http://publicintelligence.net/lulzsec-indictments/


no ads, change doc to fullscreen in the url: http://www.scribd.com/fullscreen/84156085/



Thanks for this!


The trick I always use for scribd is printing to OneNote or whatever document writer you have handy. BullzipPDF does a pretty good job of this as well. It's not a perfect solution, but it sure beats going page by page into a png.


They didn't get him via TOR. If you start reading on page 26, it states that Jeremy hammond revealed personal info to the confidential witness (CW-1). It was this personal info he shared that was used to identify Hammond as the suspect.


Further confirming my notion that social engineering is the real "hacking". When your systems are secure enough, people become the weakest link.


It's interesting because the FBI was in a perfect position to perform the most well-known attack on Tor: a correlation / timing attack. "If your adversary can watch both ends of the connection, you lose." They could watch his end and probably knew where the chat server was located. If it was located in the US, it would have been pretty straightforward to send an agent / install a device at the data center and watch the traffic on both ends. Even if the server was in another country, it would be slightly more complicated to set up, but I'm sure local law enforcement would cooperate.

Despite all that, their "correlation attack" was distinctly low-tech. They watched the traffic leaving his residence and confirmed with a confidential informant logged into the chat server that he was online. It just shows that despite all the paranoia of the crypto-nerd crowd, even the second most sophisticated government agency in the world (perhaps after the NSA), pursuing a high value target, still can't or doesn't want to perform those kinds of attacks (maybe because they aren't reliable enough to hold up in a court of law).

And the CCC was claiming that they could fingerprint encrypted connections with 40% reliability. That's so far from being an effective real-world attack by even the most sophisticated organizations, that you'd be wasting your time ever worrying about it.


There's the surveillance you do to find someone, and there's the surveillance you do to build an admissible case comprehensible to a jury.

Also, the surveillance you disclose in explanation of finding him, and the surveillance you do for the sake of having some surveillance to disclose.




I'm not sure what's wrong with the low-tech solution. Why is a sniffer preferable to an informant? Don't go with the high-tech option just because it's high-tech.

I think Hollywood and perhaps even our own fascination with technology misleads us, blinding our eyes to what has been proven to be simple and effective time and time again.


I think this is actually a pretty strong endorsement of TOR, just based on what I briefly read here. They had a wiretap running, and all they got out of it was "he's definitely using TOR." That's pretty awesome, if you ask me.


The bug that breaks Tor for a hostile government is not going to be disclosed in an indictment or in unsealed court proceedings.


But whatever they used to find him may be discoverable. Even if they had such tech, they might still have foregone it here to keep it out of discovery.

They might have other teams using it for intelligence rather than case-building. If they sequestered those from the teams building evidence that usage might not be discoverable.


Did you read the indictment? They got it specifically by matching TOR traffic to his online-activity patterns. Obviously they matched perfectly. IMHO this was a weak proof, but still is totally unacceptable for a secure network not to hide traffic patterns.


To cite the first Tor research paper: https://svn.torproject.org/svn/projects/design-paper/tor-des...

Not secure against end-to-end attacks: Tor does not claim to completely solve end-to-end timing or intersection attacks. Some approaches, such as having users run their own onion routers, may help; see Section 9 for more discussion.

They are repeating it several times in their documentation, too.

It's not really a bug - there is little that can be done here, IMO.


The only way to really counter such an attack would be to have a constant stream of traffic going 24/7 that is set at such a level that your normal usage never exceeds it. Then, when you send a real message, the computer throttles back on the garbage communication and injects your real traffic into the stream. The amount of traffic thus remains constant and it would be difficult to do any type of frequency analysis on the traffic.

However, depending on how high the garbage stream must be set to ensure that there is never a spike of real communications higher than that, it could easily be too costly for most people.


I'm not sure it would have to consistently exceed it, as long as it varied in a random fashion, and that your actual use of the network didn't result in an observable increase in instantaneous or average traffic.

So if it saturates your connection for an hour for 6 hours randomly spaced throughout a day, it's not immediately apparent if that's because you're using it, or it's a decoy stream. Varying the amount used (and always adding at least a little extra when in use) would also make it harder to detect.

At least, that's how it seems to me. There may be some sort of cunning statistical attacks depending on the implementation, especially if the attackers have the endpoint under physical surveillance (and notice that your presence always matches traffic increases of some level)


I wonder if running a tor node would have helped mask any signal in a whole bunch of noise.


Once the FBI has a surveillance van parked outside your house, I think you already lost. I don't think there's much you can realistically do.


Yes you can, if you know math. Plus, with math knowledge often comes the wisdom to not commit crimes.


I have some serious doubts about the validity of this claim. While the its possible in proofs of concept, I reserve judgement until they can prove it in a court of law.


Actually the wiretap only permitted them to see IP addresses not packet contents.


Packet contents wouldn't have helped, due to multiple layers of encryption.


the case was mainly built by correlating internet activity timing...WITH an informant on the other end.


This is why privacy is such a Hard problem: damn near everything you do leaks information. If I post anonymously somewhere, my choice of words would narrow down who I am. If I mention that I live in San Francisco, that immediately excludes all the people who live somewhere else and aren't lying. As I browse through web sites, I leave a trail across a bunch of sites' access logs that could all be pieced together and linked to my IP address. (I've got my browser set to block those social tracking buttons, but still information leaks out.) The same thing applies to the physical world (e.g. every printer has its own distinguishing quirks if you inspect the printed output); the only difference is that the internet makes it a lot easier to snoop on people in bulk.


Well, geez, don't accidentally leak things like where and when you've been arrested. This isn't subtle stuff.


To mask your diction somewhat, you could use a translation service to go from English to, e.g., Chinese, and then back, fixing gross semantic errors as necessary.


yeah and if like nobody uses TOR and you do...then you're even more identifiable


This was all detailed by Ars Technica a couple of days ago: http://arstechnica.com/tech-policy/news/2012/03/stakeout-how...


This pretty much sums it up from the article:

"While sup_g may indeed have been a "credible threat," he was in the end no match for the overwhelming federal resources of the FBI agents hunting him down. Over the last month, federal agents staked out his home in Chicago constantly, dug up old police surveillance records, tapped his Intern'et connection, used directional wireless finders to locate and identify his wireless router, and relied on Sabu back in his New York City apartment to let them know when sup_g went on or offline."

This is the one thing hackers will never get. You get the FBI on you and guess what? You're one person. They can assign hundreds of people to the case, bring down a wealth of resources to get you, and they go 24/7 until they build an airtight case on you. Not much you can do at that point but play their game.


Compare the photo of him from Ars Technica to this one from 2007: http://www.chicagomag.com/Chicago-Magazine/July-2007/The-Hac...

Reading through the indictment it becomes clear that he outed himself through many statements that narrowed down his identity. Not too smart.


As Reiser case showed, some very smart people think that they are so smart as to get away with anything, but in practice they're just humans like everybody else, and will eventually make a mistake that takes them down.


I'm now wondering about the whole wifi router/MAC address connection (see p. 30). Initially, they claim they intercepted "public signals," and that from this information they were able to determine the MAC addresses connecting to the router. That's all well and good as long as you're running an open access point, but using WPA (for example) would prevent this.

Are we supposed to assume this guy wasn't encrypting his wifi? I'll grant that it's possible, but it strikes me as unlikely given his activities.

Alternatively, if the wifi router were encrypted, are they suggesting that it is "public" because it's wireless, penetrates walls, and can be "seen" from outside?

In order to inspect MAC addresses, the WPA encryption would need to be cracked using that SSID pre-computed attack. However, executing such an attack certainly couldn't be considered the collection of public information.


Every TCP/IP packet has a MAC address for the sending device and the next receiving device. I say sending device, rather than just sender, as the MAC address may not be the original sender's MAC address. Every time a packet is received by a device in the chain where it is going the old MAC addresses are stripped from the packet. The device that just received it becomes the sending MAC and the device that is the next hop in the chain to where it is going becomes the destination MAC. The MAC addresses have to change at each hop for them to forward them to the next device along the chain to destination.

Theoretically, you could encrypt a MAC address, but all it would mean is that your packet would go nowhere as your own computer wouldn't even know where to send it. Even when using WEP/WPA/WPA2 the MAC addresses between the devices must be clear text. There is simply no way around that. It does mean that the idea that they just intercepted public signals is entirely accurate if all they did was determine MAC addresses as they are transmitted in the clear with no active attack needed. Heck, every time I open my wifi manager I see the MAC addresses for all neighbours within 500m.

My big question is why is someone's MAC important? I can't see it being a very useful piece of evidence. It isn't end-to-end like IP addresses so I can't see anyway it could be used to track him down. His own ISP probably doesn't even know it since they'll just see the MAC address of the modem he connects through. They are also notoriously easy to change at a seconds notice.


I found this notable too. Using a hardline is probably harder to monitor and doing so would require ISP cooperation.


and most importantly, probable cause


The indictment says they used a pen/trap device to monitor the wirless traffic. Does that mean they busted the encryption? I'm not saying that's a shock, it would seem more likely that they would monitor the traffic from the ISP's end rather than monitoring the wireless traffic.


No, they wouldn't have looked at anything that was encrypted. A "pen/trap" means they didn't examine the contents of the traffic at all, only where it was sent to (IP address). The term dates back to the old days of telephony -- a pen register would record dots for every digit dialed on a rotary dial (e.g., 8 dots if you dialed "8"). This would only allow the police to determine what phone numbers you dialed. There is another type of warrant that allows you to actually eavesdrop on the conversation; that type of warrant was apparently not used in this case.

For more information on how the laws relating to phone tapping are interpreted for the internet, see: https://en.wikipedia.org/wiki/Pen_register


If you're monitoring the encrypted wireless traffic of a wifi router without busting the encryption, then what good are IP addresses? Do you even see IP addresses if the traffic is encrypted. Wouldn't you just see MAC addresses? And even if you did "see" IP addresses, wouldn't you just see the wireless client and the router's IP addresses?


correct, you would not see IP header, if you were snooping encrypted wireless traffic. But thats not really what was described.. They describe a "wireless router monitoring device"...however I don't think think they mean "wireless router", but wireless "router". My guess, this is a physical 'wired' device, attached to, or installed in a router, that transmits data to nearby monitoring (FBI)agent 'wirelessly'. This is why they can see IP (wired, so no encryption), but can't see anything else (tor).


Right. If you're the FBI and you have a warrant, you have access to the cable or wire coming out of the house and also to the ISP. There's no reason why you'd need to bother decrypting the transmissions between the user's computer and his wireless router. Although I've also read about the possibility that WPA wireless encryption can be cracked.


I would assume that up through the TCP/UDP header would be accessible to a pen/trap device. That's probably how they determined it was mostly TOR related traffic.


see page 31: "...An FBI TOR network expert analyzed the data from the Pen/Trap and was able to determine that a significant portion of the traffic from the CHICAGO RESIDENCE to the Internet was TOR-related traffic..."

Guess they did not want to provide too much info on that - otherwise they would have had to acknowledge that they are actually screening all traffic with deep inspection.


You're overthinking it. All it means is a bunch of traffic was going to and from known tor nodes.


I don't know what you mean by "all traffic"; on the previous page it says the FBI installed some kind of device to capture the suspect's traffic, which is hardly a controversial practice.


Well, this is now called lawful inspection.

The deeper meaning of this is that all I-Net traffic can / is inspected through special interfaces at the ISPs (that could of course also be on the edge of the networks) and all (larger) ISPs have to make those available 24/7 without knowing who's accessing them. Generally speaking I guess it might be better to say that all traffic taking certain routes (I certainly don't want to explain this) or using / showing certain patterns will automatically be inspected.

From a logical point of view you will have to look into everything if you do not know what you're searching for and identify the unusual or some "patterns" you already know...

The general approaches used here are similar to IDS solutions and generally HW based / speed enhanced solutions are used for that (magnitudes faster than software only).

Keywords on that - if you want to find out more - are Deep Packet Inspection, lawful inspection and interception, network neutrality, PCRF etc.

There is a whole industry providing these services / solutions (to the TelComs and government agencies) and their biggest players are all based in the U.S.


Yeah, we know about CALEA and ECHELON, but there's no evidence that they were used in this case so I don't know why you're bringing it up. It sounds like conspiracy-mongering.


Hold your horses - you're trying to kill the messenger!

This is what the congressional hearings with AT&T reg. Bush Mark 2 interceptions were all about - now its all legal so no press on that anymore.

And I guess you know that what can be done will be done.

No conspiracy, standard practice - 15 years ago everybody involved into such practices would have been called a terrorist, enemy no 1 to our democratic systems now seemingly its the other way around.


Nobody is shooting the messenger. You're saying "oh noes, the government is evil! look!" where in this case, there is no evidence of that. Without inspecting every packet on the Internet, they still got this guy with something equivalent to a regular wiretap.


The FBI has TOR network experts? Hmm. I wonder if they use it themselves?


What's so surprising in that? FBI can probably hire an expert in any existing technology. I'm sure they have very smart people working for them, and if they need they can always use outside consultants. I'd be pretty surprised and disappointed if they didn't have some experts with knowledge in everything that pertains to internet security, cracking, etc. There's a whole industry about that, for years now, so why not?


I guess what I'm saying is, it makes it sound like they have a guy on staff (not contracted) whose whole job is to be the TOR expert. I just wasn't expecting TOR would be that important.


It doesn't say his whole job is to be TOR expert. He could have knowledge in TOR - one doesn't have to be exceptionally knowledgeable to be considered "expert" in legalese, regular working knowledge of the matter allowing him to make informed conclusions like "this set of packets is a TOR traffic going to this IP" should be enough - and other matters too.


Wait... This is 2012 and they wrote this document on a typewriter?

Why?

Performance of the typist? Security concerns?


It's Courier, not an actual typewriter.


Haha, I got fooled by the by fact it's a scanned document + the ascii art in the corner.

Well, I guess they're still using computers as if they were just typewriters...


They have a policy of printing & scanning documents for archival purposes.

It also seems they have a policy of using Courier, which is probably a carry-over from the days of paper records. It isn't the most readable font ever, but it is surely one of the most legible- a good thing for documents meant for preservation.


Lots of courts have very specific rules about the format of documents. I think it's at least partly to keep lawyers from playing schoolboy-style shenanigans like making lengthy documents seem short or vice versa.


I am more interested in Sabu's indictment and guilty plea, because I don't buy that they caught him because he logged into irc once with his real IP. that doesn't prove you are the Sabu from Lulzsec


The ars article a few days back said that he was essentially caught because he had claimed ownership of a domain that he had registered with Godaddy Domains by Proxy, and then Godaddy leaked his information for a couple days when renewing the domain.

I suppose, just another reason not to trust Godaddy?


the prvt.org domain? the jester, who was the guy who first published that a year ago, tweeted that he thinks Sabu was arrested before the whois record on that domain was leaked.

somebody needs to sit down and work out the timeline here and figure out what happen.


This is interesting if only for the lawyer's summaries of IRC chat logs.

6 lines of chat, 2 paragraphs of summary. Ah, bureaucracy.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: