Story

Notes on Sabu arrest

This post is just to jot down interest bits of info on the Sabu arrest. All the good stories with details appear in the first few hours, then the Internet fills up with crud, and I can no longer find the original stories via Google.

Fox News as the original stories at these links:

  1. http://www.foxnews.com/scitech/2012/03/06/hacking-group-lulzsec-swept-up-by-law-enforcement/ 
  2. http://www.foxnews.com/scitech/2012/03/06/exclusive-inside-lulzsec-mastermind-turns-on-his-minions/ 
  3. http://www.foxnews.com/scitech/2012/03/06/exclusive-unmasking-worlds-most-wanted-hacker/ 

They caught him because just once, he logged onto IRC without going through Tor, revealing to the FBI his IP address. This reveals a little bit about the FBI, namely that they've infiltrated enough of the popular IRC relays to be able to get people's IP addresses. We've always suspected they could, now we know.

This is a good lesson for Tor users. Tor, itself, is not enough to keep your identity hidden. It "fails open", which means that if you make a mistake, you'll expose your IP address. If "they" are coming after you, you need to configure a "fail close" network setup, such as by using a second machine as a transparent Tor proxy, such that everything is forced through Tor no matter what you do, and if the Tor service fails, your network connectivity also fails (fail close). 

Update: Two commenters think I'm criticizing Tor. I'm not. It's like that fact that crypto isn't enough to keep your data private. The FBI cannot crack AES128, but if you've chosen a poor password, they can crack that. It's not AES128's fault you chose a bad password.

It's likewise not Tor's fault you bypassed it in order to log onto IRC. It's just that you should be aware of the importance of choosing good passwords, and practicing good Tor hygiene.

Another lesson about the FBI is that this is how they always work. You don't expect arrests right away after a  major hack. Instead, the FBI will plod along for a year infiltrating as much of the organization as they can, turning key members, gathering hard evidence, and THEN they swoop in and gather everyone up.

This is mostly because hard evidence of past crimes is hard to get. You need evidence of future crimes. Once you've infiltrated the organization and can monitor what they are doing in real time, you'll get evidence of the crimes as they are happening, evidence you couldn't get on their previous crimes.

And the evidence the FBI most wants is for things like "conspiracy" [most of those arrested today are indicted on conspiracy].

Proving you committed a crime is hard, proving you conspired to commit it (by monitoring IRC) is pretty easy. Unless they find the stolen credit card numbers on your laptop, they'll find it difficult convicting you of cybercrime.

But they can convict you of conspiracy, intent, obstruction of of justice, racketeering, and so on. For example, the Palin hacker was convicted of only misdemeanor hacking, but felony obstruction of justice because he deleted evidence of the hack.

When your little group has done something really bad, and you realize you've gotten over your head and the the FBI is coming after you, you have the prisoner's dilemma to consider. The first one of you that cracks and helps the FBI track everyone else down will get the sweetheart deal, and everyone else will go to jail. I can't see myself doing this, but at the same time, I can't see myself getting involved in such cybercrime.

Anyway, this is just my notes page. As my stories appear on this subject, I'm going to keep updating this post.

--
From the Jimmy Graham in the comments section comes this article (http://www.informationweek.com/news/security/attacks/231000584) from last June that outed Sabu's identity. It points to this pastebin (http://pastebin.com/iVujX4TR) which dumps some key data on their identities. I'm surprised we all missed this back then.

--
Official FBI press statement: http://www.fbi.gov/newyork/press-releases/2012/six-hackers-in-the-united-states-and-abroad-charged-for-crimes-affecting-over-one-million-victims

---
Post from IBtimes (http://www.ibtimes.co.uk/articles/293742/20120206/antisec-anonymous-hackers-fbi-anti-security-hack.htm) from a month ago that looks completely different now that this has been revealed.

---
Post from The Guardian (http://www.guardian.co.uk/technology/2012/mar/06/lulzsec-sabu-working-for-us-fbi?CMP=twt_gu) that regurgitates the Fox News article, though they have some good links to their past coverage of Sabu, such as this article (http://www.guardian.co.uk/technology/2011/jun/24/inside-lulzsec-chatroom-logs-hackers) from last June (around the time Sabu was secretly arrested) discussing leaked chat logs of the LulzSec group.

--
This document (http://blog.wearpants.org/media/namshub.pdf) outs a lot of Anonymous, I'm not sure when it was posted, but it apparently identified Sabu before today's announcement.

--
This post from last December (http://rickey-g.blogspot.com/2011/12/anonymousabu-aka-xavier-de-leon.html) finds some clues to Sabu's identity, which in hindsight, appear to be true.

--
Wild eye ravings? Is FBI and/or Anymous behind everything? (http://www.deathandtaxesmag.com/179764/anonymous-has-grown-beyond-lulzsec-and-sabu/) Dispels the more extreme notions of the FBI, but still assumes that that the FBI is controlled by corporate/political interests.

--
A paper written describing what LulzSec is: http://pastehtml.com/view/blpmqrn78.html

--
Six things you didn't know about Sabu: http://www.buzzfeed.com/jwherrman/five-things-you-didnt-know-about-sabu-the-lulzse

--
Sabu's indictment: http://www.nypost.com/rw/nypost/2012/03/06/media/030612_hackers.pdf

--
Sabu assumed he was an FBI agent, rather than just a CI: http://gawker.com/5890901/anonymous-snitch-tried-and-failed-to-pass-himself-off-as-an-fbi-agent-last-month (Has he never watched "White Collar" TV show??)

--
Barret Brown, who sometimes acts as a spokesman, had his house raided :http://www.nytimes.com/2012/03/07/technology/lulzsec-hacking-suspects-are-arrested.html?_r=3

--
Interesting Gawker piece (http://gizmodo.com/5890825/lulzsec-leader-betrays-all-of-anonymous) with chat logs with "Virus", a detractor of Sabu who has been claiming Sabu was a snitch nearly from the moment Sabu became a snitch.

--
Great piece from Ars Technica on how Sabu led them to Hammond: http://arstechnica.com/tech-policy/news/2012/03/stakeout-how-the-fbi-tracked-and-busted-a-chicago-anon.ars
--

Sabu's Reddit Ask-Me-Anything thread, Sep'11:reddit.com/r/IAmA/comment… "Stick to yourselves. Friends will try to take you down if they have to."