UK cops: How we sniffed out convicted AnonOps admin 'Nerdo' Analysis of IRC logs and open source intelligence played a key role in the successful police prosecution that led up the conviction of a member of Anonymous for conspiracy to launch denial of service attacks against PayPal and other firms. Christopher "Nerdo" Weatherhead, 22, was convicted on one count of conspiracy to impair …
I don't think we're dealing with expert hackers here who thoroughly considered the link back to themselves.
Tor and Truecrypt use wouldn't be enough to cover your tracks online on their own. Tor, in particular, can be inherently leaky unless you're paranoid about what packets you send out over it (accidentally leave your IM/Skype/Email running? Whoops, there's identification right there). These people were caught by unencrypted browser histories (by the sound of it, which suggests use of non-full-disk encryption, or encrypted dual-systems - TrueCrypt's "plausible deniability" - where activities spilled over into unencrypted parts, or the part covered by the password they *did* share, of the disks).
And leaving proof-of-hosting just laying around on encrypted partitions? That's just amateur.
Organising over IRC? In comparison that's quite minot, but that's just asking for trouble too, because you leave full logs wherever you go - even accidentally - because a lot of people record IRC 24/7 so they can go to sleep and "catch up" on what happened later. Coordinating the attacks over IRC with random, unverified people (who were probably NOT using such methods to keep their identities hidden) seems a bit daft - especially if some of those people then moved onto social networks to pull in more people. And even using the same username - though that's hardly hard evidence, it suggests a complete lack of thought between connections of you and your activities. You couldn't convict on that alone, but if it gets to the point that there's some decent suspicion you were involved and YOUR Internet name has always been X and Internet name X appears on connections associated with the suspicion, the hosting, the IRC admins, etc. then it's just another nail in your coffin.
That said, not much would have saved them by that point anyway. I suspect that if they *didn't* hand over their TrueCrypt details, that's enough to convict them anyway (perverting the course of justice by failing to provide evidence - though there's a question of self-incrimination - or one of the newer laws would handle that quite nicely). So they weren't going to get away with it once it had come down to a handful of people of interest, and giving away your username, geographical location, and leaving a trail of history since your teenage years on those same details would give police an address in a matter of minutes (one phone call to XBox Live, I would think). Even if it was only as a suspect, you would be having a word with the boys in blue within moments and then explaining why you won't decrypt all those hard drives you have is going to be tricky to make stand up in court.
The story could well have been very different, but only if they actually knew enough about computers, and bothered to try to hide their identities properly. But even then, just finding evidence of connecting to the IRC channel and (then) a TrueCrypt volume that you refuse to decrypt is enough to throw you in jail.
They were sloppy, and got caught, and probably thought they were immune right until the verdict. One of the reasons I would be *useless* in any sort of online activism. I often find programs connecting that I'd forgotten all about (even with software firewalls that warn me), have DNS settings that for years send DNS requests to my old ISP's server, etc.
An example? Windows Vista and above talks to a server to establish the "Internet Connection" or not status of your connections. There are registry entries to tweak what server it talks to and what it expects to find in a named file on that server. I tweaked mine to point to my own private server (the theory being, if anyone is stupid enough to steal and then turn on my machine while it's on the Internet, I would capture their IP from the Apache logs), and then forgot about it for ages until I wondered why my icons never showed Internet connectivity. That's just the kind of stupid stuff that would catch me out before I even started.
Using TrueCrypt is surely a WTF. Everyone knows what TrueCrypt is. The risk is you somehow drop the fact you've used it. Then you are screwed.
You are better off wiping the machine after use after dumping persistent data (tools, etc) on a micro sd card encrypted. A micro sd card can be swallowed or destroyed easy. Encrypting the files on the card with your own algorithms (over and above mainstream ones if you must) and disguising them as png files and the like, and setting up a context for them to exist..oh look they are pngs in the texture folder of a game you are writing. I know rolling your own encryption algorithms is frowned upon, but the obscurity side of it seems more secure. I mean it's not like they are going to be setting actual experts on your machine for years to figure out what's going on.
I am not inclined to break the law and haven't done so, so what do I know, but that's what I would do.
Oh and hide a legitimate laptop stuffed with legitimate files under the floorboard in the attic. That'll confuse them for a time. They'll probably assign about 3 actual experts to your case, so just create 5 time-wasting lines of red herrings.
I remember reading about someone who booted his PC off a minimal unix USB stick (this was a while back when sizes weren't so great) which he kept away from the PC - the main OS and his personal files were held on an encrypted partition physically held inside the swap file of the windows install on the machine... He also had enough 'crap' in windows startup to cause most of this swap to be used.
So...... He plugs his USB stick in, boots up into unix and all is there.
If someone else boots up, they get a 'normal' windows installation, and end up overwriting the swap file data.
Even if someone takes a forensic copy of the disk without booting it, all they'll see is a swap file full of 'meaningless' data
> I don't think we're dealing with expert hackers here who
> thoroughly considered the link back to themselves.
An "expert hacker" being someone who has been caught once, and learned the hard way that the ones that get caught are the ones that mistakenly believe they will never get caught.
EXPERT HACKER QUIZ: Choose the best answer:
I will never get caught because:
1) The authorities are too stupid,
2) I am too smart
3) Only a small fraction get caught anyway
4) I am too paranoid
ANSWERS:
If you answered 1-3, that knock at the door is the police
If you answered (4), you are a good hacker.
If you are too paranoid to even participate in the survey then you may be an expert hacker.
Thank You for taking our survey.
Depends on the network. It's possible to use SSL, though of course you need SSL between all the nodes as well as from client to server.
I've also had fun with various encryption methods that make you and others with the key able to see the text, but everyone else in-channel sees a load of g&7b6^&f7&^fvk8.
Of couse, as the post above mentions, this isn't perfect!
"The wider collective might claim to be leaderless," Massie explained. "But the IRC channel had a power structure and hierarchy that was clear from looking at what was going on."
And this is new how? Every mob has its instigators - what do you think the ablative armor in front is for if not for rhetorical hiding behind?
But they're dealing with conspiracy theorists who will immediately assume that because the police are telling everyone that they can find out all they need from IRC and old gamer tags then that is because they want peopel to think those methods are insercure and stop using them because in reality they are so secure the police can't trace you if you do that - hence they'll all flood onto IRC with old gamer tags ... and run straight into the double-conspiracy trap that's been set.
N.b. if you think this is far fetched ... I remember a few years ago when MINT telecom came up with a global PAYG SIM card and the US authorities made a big deal about how terrorists could by the SIMs for cash and they wouldn't be traceable. Turned out that Al-Quaeda believed this to such an extent that later a US general commented that they monitored the Afghan/Iraqi mobile networks and as soon as they saw a MINT SIM card connecting they sent in the forces .... only problem was he wasn't meant to say that as immediately Al-Quaeda stop using mobiles completely!
It's hardly a secret, and in a modern free nation the police are supposed to tell you what information they have and how they got it, to make sure they didn't just magic it out of thin air or acquire it by plugging your genitals into a car battery.
The elephant in the room which makes a mockery of justice and fools of law officers ...... and extraordinarily renders politicians as knowing accessories to fraud and crime and unfit for good governance purpose, ...... http://www.telegraph.co.uk/finance/newsbysector/banksandfinance/9743839/Banks-are-too-big-to-prosecute-says-FSAs-Andrew-Bailey.html?
Is that collusion or a conspiracy?
Ah, noticed that too, eh? Police very quick to go after 'little' easy targets, not so quick or willing to take down the *real* crims.
Is it collusion or conspiracy?
It's answer D: ALL OF THE ABOVE.
If you haven't figured out how to use the Ribbon up to its potential by now you've really dropped the ball. A completely customizable interface that gives you instant access to all the features you want to utilize: Try using all the opportunities Ribbon offers before you whinge.
Dear UK gov.
See? What you need are diligent, skilful, investigators who are well-versed in their area of investigation.
You don't need to put the entire civilian population under a blanket of constant surveillance to catch criminals. Laziness is not an excuse for creating a police state.
Yours sincerely,
Everyone.
I really object to statements like "Using TrueCrypt is surely a WTF. Everyone knows what TrueCrypt is." Since when did being security conscious mean you are guilty of a crime?
We are getting to the stage where everyone *should* be encrypting their data to stop people leaving it around on memory sticks and laptops and then here you are saying that it mean someone must be up to no good!?
utterly absurd
Truecrypt has a" Hidden Volume" function, but if you let others know you are using it, it defeats the advantage of that function. Under UK law (unlike US law) you can be compelled to provide a key. Failure to provide the key is crime in-and-of itself (punishable by two years in prison).
So, using truecrypt is not a crime. Failure to provide the key is.
So, this Anon faces up to ten years in prison. A similar level of sentencing for sex crimes against children, violent assault, armed robbery, rape and manslaughter. Oh, and for large-scale fraud.
PayPal, his alleged target, have dodged paying very large sums in taxes (millions of pounds sterling) and have had charges against them dropped in the UK.
Whom does the law serve?
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
