Accused LulzSec Members Left Trail of Clues Online

Trailrunner7 writes "When the long arm of the law reached in to arrest members of Anonymous's senior leadership on Tuesday, speculation immediately turned to the identities of the six men behind the Guy Fawkes mask. With the benefit of hindsight, it turns out that many had been hiding in plain sight, with day jobs, burgeoning online lives and — for those who knew where to look — plenty of clues about their extracurricular activities on behalf of the world's most famous hacking crew. Two of the accused, Darren Martyn (aka 'pwnsauce,' 'raepsauce,' and 'networkkitten,') and Donncha O'Cearbhail, formerly known as Donncha Carroll (aka 'Palladium'), sported significant online footprints and made little effort to hide their affinity for hacking. In other areas, however, Martyn (who was reported to be 25, but claimed to be 19), seemed to be on his way to bigger and better things. He was a local chapter leader of the Open Web Application Security Project in Galway, Ireland. He spent some of his free time with a small collective of computer researchers with Insecurety Research, under the name 'infodox.'"

So it goes

[Securityemo]

They're all human, obviously. And perhaps the risk aversion that would have driven them to meticulously fly under the radar ultimately would have prevented them from creating such a spectacle in the first place?

Re:So it goes

[lightknight]

Cultural programming. If you're going to do something illegal, be sure to announce it to the world: that means you need to be sure to tell a friend, a family member, talk about it on an IRC channel, or with a stranger at a bar. And if you're brought it for questioning, be sure to share a jail cell with a snitch, because it's always a good idea to confide in a criminal. Be sure to tell him that you totally did it, and have no remorse for your actions. Hell, if you are lucky enough, you'll get a roommate who will tell the people in charge that you've confessed, even if you haven't; don't worry, the judge will totally believe him (the standards for evidence these days is abysmal).

And I second Taco Cowboy's post. I believe the rule, back in the day, was to launch an attack through several boxes (SSH -> SSH -> SSH -> SSH -> SSH), and being especially sure to kill the syslogger before doing anything. Finally, be sure to launch it all from a laptop that you haven't used for anything else, on a connection that isn't your own.

And yes, the false leads are useful. The FBI loves it when they spend time tracing the breadcrumbs back to one of their own boxes (surprising the number of attacks, over the years, that have been launched from www.fbi.gov).

Finally, never reuse a box you've used before. Laptop gets an extra squeaky clean format (and a copy of Slack or something), and all boxes between point A and Z are now permanently off-limits. Keep a good lawyer on retainer, and never h@x0r a box inside your own country. Never use a nickname that you've used or mentioned elsewhere (randomly generated is the way to go). For me, were I to engage in some hypothetical cracking, I would never use 'lightknight' as the login, password, or key to anything. Wouldn't reuse the password tied to this account either.

Re:So it goes

Rules to Hack and stay Free by:

1. Never hack where you sleep, live, work, go to school, play, etc. To extend this idea a little, never hack from a location where there is any way at all to correlate your real identity. This includes public wifi spots where there are cameras, for example. As another example, if you use a library (assuming they don't also have cameras) it would be a bad idea to check a book out... or even have a card there.
1b. This also includes recon and conversations related to hacking.
1c. Leave your cellphone at home, or remove the battery.

2. Most hackers can't afford to use a fresh, clean system for every hack or related activity. If you can, great. But if not, be sure you use a fully sanitized system, preferably one reserved just for hacking. A clean system running a non-installed OS and relying on virtual machines is the best option, encryption is a must-have and you absolutely have to be able to alter your NIC's MAC address. The hardware virtualization should be able to be altered so that nothing about the system will generate a consistent "fingerprint" across boots.

3. Do not use public proxies or ones supplied by a 3rd party. Use only systems which you have personally compromised as a proxy agent.
3b. All proxies should be regarded as already compromised, or even as honeypots. They should only be used to slow down the hunters, and assume that eventually they may yield some information even if they get scrubbed.

4. Leave false trails when it is practical.
4b. It is better to not leave a false trail, then it is to leave a false one and in the process create another real one.

5. Never re-use handles, login names, passwords, drop locations, proxies, etc. Consider all that data one-time use only.

6. Last, and most important is: Never become attached to anything which you cannot walk away from if you feel the Heat coming.

Most hackers violate all these rules on a regular basis. They get lazy and sloppy, so they hack from home and re-use systems. They brag about what they did, intermix details of their real life with various handles, and re-use names, passwords, locations, and methods. People who don't follow these rules are Amateurs, not Professionals. Professionals can walk away from their entire real life if it ends up becoming compromised... most people who hack cannot do this and as such will never truly be "Elite".

Re:When compilers are outlawed...

[DigiShaman]

You laugh. Given the tract record of our government, our heroes in office may decide to pass another epic failure of a bill. DHS mandated list of federal certified software developers. All compilations are recorded, audited, and the compiler software itself certified by the feds. Give another 10 years. It will happen. Not because it should, but because it can be.

I never said any of this was rational. Just projecting a future based on the insanity that's going on now.

Re:This is fucking retarded.

[GmExtremacy]

Whoa, whoa, whoa. Are you suggesting that we don't need dozens of armed policemen and helicopters to arrest the owner of a website that facilitated the copying of copyrighted material!? Are you actually suggesting that murder is worse than 'hacking' a website or infringing upon someone's copyright and that perhaps these expensive investigations aren't necessary!?

How dare you!

What utterly incompetent tradecraft

[mrmeval]

They're children going up against people who have been trained to play this game by masters at it. They were nothing until they became a significant irritant and when that happened they ended up under a sledgehammer. It is a most dangerous game where you cannot make a mistake at as your life is at stake. I don't know how badly they will fall but they're tagged now and most likely will be assigned to someone to watch for some time to come.

Story time

[girlintraining]

A bit of time ago, I met a man who was very good at computer and physical security. He works now as a consultant for a local law enforcement agency; They bring him in for high tech crimes that are beyond their resources to crack. I know I'm being a bit short on details here, but bear with me. Anyway, he became a consultant because in his earlier life, he had gotten into some financial hardship and made a couple poor judgement calls, as seems to happen so often to otherwise highly intelligent people. Well, part of that contract was that he had to work for some unsavory folk helping them bypass security. That group of individuals then graduated from protection racket and simple ID theft to clearing out a dozen floors of a skyscraper under cover of darkness.

The police didn't know what to do, and they didn't make it public because the enormity of the crime would have rocked the downtown financial district. Now my friend didn't want to be doing this forever, but he was rather stuck -- because now that the crimes were done, he was a liability, but at the same time, an asset to the organization he worked for. He knew it was only a matter of time before the liability side of the equation exceeded his usefulness and they ended him.

So he did what anyone would do: He asked for help. Not straight out. Not directly, because he was under surveillance all the time by his "friends". So he started leaving clues. Misplaced equipment that would, say, print out his initials over and over again when found later at the crime scene. Subtle things. But enough that law enforcement got the idea that someone was trying to say "help me get out."

Eventually, without his testimony being needed, they were able to piece together the bread crumb trail and nail the entire criminal organization in one sweep. He had to do time of course, but after only a year or so, they let him out on a very generous probation on one condition: Help them solve other crimes too complex for them to deal with.

Now there was no movie ever made about this guy, no book deals, nothing. But he's not the first, he surely won't be the last, and I think it would behoove you people to consider that these people might have wanted to get caught. Sometimes people just get tired. Sometimes they have a change of heart. Sometimes they find out that it was all fun and games until they found out who was writing the paycheck. These "security researchers" are more than likely ex-members of similar organizations that are doing the same thing for the lulzsec people that someone else once did for them: Extradite them from a situation they've gotten too far into.

So people, just remember: You may have their names. It's almost assured you do not have their story.

Re:Story time

So he did what anyone would do: He asked for help. Not straight out. Not directly, because he was under surveillance all the time by his "friends". So he started leaving clues. Misplaced equipment that would, say, print out his initials over and over again when found later at the crime scene. Subtle things. But enough that law enforcement got the idea that someone was trying to say "help me get out."

No offense but that sounds like complete crap. How many initials are we talking about here? Two? Three? It's stupid. Anyone doing stuff like this would increase massively their chance of being considered a liability without actually helping themselves at all. Their surveilance didn't pick up on the weird stuff he was doing, rigging equipment to print his intitials, but would have noticed if he'd put a letter in the post? WTF?

Dump summery

[Weezul]

LulzSec were their own hacker group operating under their own name to bolder their own egos. Please don't conflate them with Anonymous.

LulzSec shared some aims and humor with Anonymous, but they always wanted to be identified. And that egotism helped get them caught.

Re:This is fucking retarded.

[Dekker3D]

Perhaps he's insinuating that, if there's manpower to spare on either of those things, it should go to the more serious crimes. And the punishment should also fit the crime, and not be blown out of proportion.

Even if he's not insinuating that, perhaps I should do so.

Well then they goofed up.

[elucido]

And there is nothing more to say about it.

Let me make something clear to any would be members of these groups or individuals who think hackers are cool. If you are a hacker expect to go to jail. Don't protest or do anything which isn't worth going to jail for. Most of the hacks these individuals participated in were not the sort of stuff that in hindsight they will believe was worth sacrificing their life for.

These individuals may not be physically dead but they have no future, no career. The rumored snitch Sabu has it the worst because if what they say about him is true he's not going to be accepted in the criminal or police world so he's fucking gone.

LulzSec always seemed like a dumbass group. I'm not a big fan of the whole AntiSec agenda, and I don't think LulzSec can be compared to Anonymous. LulzSec was not defending human rights in any way, while at least with Anonymous you have people who believe in something other than lulz.

Protest doesn't require breaking the law.

[elucido]

And it doesn't require pissing off the feds. You can protest in a smart way or in a dumb way and many of Anonymous choose the dumb way with dumb consequences. If they are going to be political freedom fighters, warriors, then they will have to act like warriors and think like warriors.

Young people need to be educated so they know when they get involved with these groups it's like getting involved with a mafia or terrorist organization. Their life is changed forever, many of them might not survive it, those who do could have their life destroyed in all kinds of ways, basically it's young people sacrificing their future.

LulzSec in my opinion were sacrificing their future for dumb reasons. Was it worth going to jail over? Now they are useless to society and can't do shit.

Re:Protest doesn't require breaking the law.

[lightknight]

1st Amendment. Just get a copy of a video of them engaging in some wayward action, and upload it to the web. They'll be laughed at for a week, then fired.

If you want to piss off the (laughable) authorities, just post a copy of their wife engaging in some extramarital affair (happens often enough). They won't be able to touch you, and they'll busy with family problems for the next seven years or so.

Re:This is fucking retarded.

[artor3]

You aren't even following your own thoughts to their logical conclusions.

So whenever we have manpower to spare for other things, it should be diverted to more serious crimes. That's what you're claiming -- I'm not even significantly changing your wording. Can you really not see that the ONLY possible outcome of that approach is having literally 100% of resources focused on whatever the single worst crime is? That until that outcome is reached, you can ALWAYS complain that we should take resources away from lesser crimes and focus them on worse ones?

Look, if you think hacking and piracy should be legal, come out and say it. Don't put forward these facile arguments that society is incapable of enforcing multiple laws at once.

the FBI was running them.

[decora]

Sabu was essentially an FBI agent. all the hacks that happened within the past 6 months under the guise of anonymous were, essentially, controlled and directed by the FBI. the FBI even hosted servers for them to use in their operation.

the first rule of hacking would seem to be - if someone asks you to do something illegal and stupid, it's probably an FBI sting operation.