On September 22, 23-year-old college student Cody Kretsinger was arrested by the FBI for his part in the hack of Sony Pictures Entertainment by the high-profile hacking group LulzSec.
The hack resulted in the exposed information of more than 37,500 people who had registered for online promotions. The hack itself and the reasons behind it have become secondary, but it was part of a campaign against Sony by the hacking groups Anonymous and LulzSec after the company pursued Sony PlayStation 3 games hackers and in particular George Holt, or “GeoHot”.
What made this arrest notable is that the FBI tracked Kretsinger, or “recursion” as he was also known, by obtaining logs of his activity from a proxy service provider called Hide My Ass (HMA).
HMA was aware LulzSec members had been using their services from chat logs publicised by The Guardian newspaper but had chosen not to do anything about it. This changed when they were allegedly served with a court order in the UK.
There is now some expectation that a second LulzSec hacker, “Neuron”, who had also admitted to using the HMA service, might be tracked down.
Just business, right?
The actions of HMA in handing over logs to the FBI has been a rude awakening for many and has sparked condemnation from commentators on Twitter.
It illustrates that many in the hacker community have strong principles that they expect others of like mind to hold – it’s just who happens to be in the group of “like minds” at any one time that’s the issue.
HMA is a commercial company that markets its services by exploiting the idea it’s supportive of the hacker’s cause – even somewhat cynically exploiting its role in aiding Egyptian protesters in circumventing government censorship to access Twitter.
To many in the West, including in government and security circles, there’s nothing wrong with helping an Egyptian resident to break a law in a country whose government had effectively lost support. The issue is not a moral one, but simply a practical one, given it’s less likely the Egyptian Government would be able to obtain a UK court order to persuade a service such as HMA to hand over logs.
Representatives of other virtual private network (VPL) service providers such as AirVPN (which allow users to appear as if they are on a different network) have come out to condemn HMA’s actions and question statements issued by the company that “all VPN providers keep logs”.
AirVPN does not keep logs and accepts anonymous payment by online currency provider Bitcoin. Privacy International has also questioned the actions of a provider that sells itself on the ability to keep your online activity anonymous and untraceable.
Staying hidden on the internet
In the chatroom logs of several LulzSec hackers there’s some discussion about how to stay secure and, in particular, how to use VPN technology to remain unidentified.
VPN service providers establish servers in multiple countries and allow users to connect to these.
The most common use for this would be to appear as if you are a user in the US, for example, to bypass any restrictions imposed by your local internet service provider or government.
The uses of this technology range from Chinese residents wanting to access blocked sites such as Facebook to residents outside the US wanting to watch streaming video that is only available to US residents.
The issue with VPN services is that, as the HMA/LulzSec episode has highlighted, the HMA has no obligation to keep private the details of the communication through their services.
Although HMA representatives claimed in this case they were served a court order, there’s no evidence the company received anything other than a request from the FBI.
As the company is UK-based, it seems unlikely the FBI would have been able to obtain a UK court order for an activity that occurred in the US.
Rather, people at HMA may have been concerned their business would have been affected and servers in the US shut down.
There is also another possibility: services such as HMA are sometimes (whether rightly or wrongly) referred to as “Honeypots” – sites set up by authorities to masquerade as independent commercial operations.
Tor: a better path to anonymity?
Given HMA is a commercial organisation, it was curious that the LulzSec hackers would have used it and others like it. An alternative to the commercial services is a service called Tor.
Tor was originally developed as a project of the US Naval Research Laboratory and received further support from the Electronic Frontier Foundation EFF and other donors.
It works by encrypting traffic from a user’s computer and sending it through a number of Tor Servers that are run by volunteers.
The message is encrypted and re-encrypted: each time it passes through a server, a layer of encryption is removed. Eventually, the message exits but, when combined with secure communication, it’s not possible for an external observer to tell which path the communication took and where it originated.
Tor suffers from some weaknesses but, combined with special browser software, it can allow users to remain largely anonymous.
Normal download speeds can be 10 times slower whilst using Tor – so it’s conceivable LulzSec hackers didn’t use it for this reason.
In the chatroom logs, a user by the name of “lol” (also known as “kayla” and who has possibly also been subsequently arrested comments on how slow Tor is. In hindsight, the extra time would have been worth the effort.
The VPN providers AirVPN advise users to always use their VPN services over Tor.
Who can you trust?
The arrest of Cody Kretsinger has served as an object lesson to the hacker community about the difficulties iof remaining anonymous and untraceable online.
More to the point is the fact a considerable amount of background information was actually leaked to the press in the first place by former LulzSec group member “m_nerva”, later identified as Marshal Webb from Ohio.
The lesson the hackers learned the hard way is also a salutary one for all dissidents, whistle-blowers and activists: in situations where much is at stake, no precaution is too great.
General awareness of tools such as Tor and others such as Freenet will become as fundamental as knowing how to use a browser. In all of this, commercial companies and networks will always act in their own interests.
Unfortunately, it comes down to one simple fact: it’s hard to trust anyone when your life depends on it.