Cisco Blogs


Cisco Blog > Security

Hard Lessons about Hacking and Proxy Services

I was disheartened to read about the 22 September arrest of alleged LulzSec/Anonymous member Cody Kretsinger (known by the handle ‘recursion’) by the FBI as a suspect in the SQL injection attacks on multiple Sony websites. Note that I was not sad to see the good guys bust a cybercriminal, but I was sad to see a nice guy I had met and talked to briefly at BlackHat Las Vegas 2011 turn out to be a suspect wanted by the FBI.

Cody Kretsinger, second from right, at BlackHat 2011

One of the things we at Cisco try to do is reach out to those studying infosec and wanting to make a career in security. At BlackHat Cisco had a contest where the winner got a Pwnie Express PWN Phone, effectively a modified Nokia N900 with some pentesting software loaded. A group of guys, volunteers with the show from an IT school, were fascinated by the PWN Phone – possibly because in their circle a couple of them had Nokia N900s, a device relatively unknown in North America but somewhat popular in certain hacking circles due to the fact that its OS is Linux-based and thus can be made to run things like metasploit (like the PWN Phone does).

These guys came over and took our quiz, which is what we were using for the contest. Nice guys: polite, friendly, interested in security, networking and IT in general. They all seemed like the type that you might want to have at your company doing IT.

Except that at least one of them seems to have found himself on the dark side, a mistake that may cost him 15 years.

When you are young, it is easy to fall off the true path. Many are fortunate; their transgressions are of the sort that don’t generate logs, never cause too much harm and don’t get them caught. Most find their way back to the path and carry on, paying taxes, raising families, going to soccer games and the like.

One thing that could lead to a belief in ‘hackish’ invincibility, and which could greatly enhance the pull of the dark side, would be a truly untraceable proxy. There are a number of pseudo-anonymous (note the fact that I am not using the term anonymous) proxy services. Recursion used ‘HMA’ (warning: URL contains salty language). In the end, ‘HMA’ didn’t do what its domain name purported, but there are many others. While these services may in fact mask your IP in outbound connections, they do see your IP on inbound connections.

As HMA, the proxy/VPN service that recursion used, states in their blog:

As stated in our terms of service and privacy policy our service is not to be used for illegal activity, and as a legitimate company we will cooperate with law enforcement if we receive a court order (equivalent of a subpoena in the US).

Completely reasonable and exactly the same thing your ISP or mobile operator or anyone else in telecommunications might state. When the feds come knocking with the right papers, the kimono opens right up. Logs and in some cases actual traffic may be captured and forwarded.

If you spend time on forums or IRC, you know that folks on the net can be petty and vindictive. However, if you get in the way of big money or count coup on the feds or law enforcement, the petty noise of IRC will be like a burnt match next to the sun when compared to the great vengeance and furious anger governments and corporations will bring upon you. Governments and large corporations have little sense of humor when threatened and have considerable time, money and other resources. Normally the infosec scales are balanced in the favor of the attacker, who needs to be right only once. However, once you have the full attention of the FBI and others, the tide has turned. All you have to do is make one mistake and let them find it, and it is game over.

Tags: , , , , , ,

In an effort to keep conversations fresh, Cisco Blogs closes comments after 60 days. Please visit the Cisco Blogs hub page for the latest content.

24 Comments.


  1. Like Handratty says in Catch Me If You Can: “You will get caught, it’s a mathematical fact.”

       1 like

  2. This is an excellent point that I have been thinking about myself, less the “‘hackish’ invincibility” aspect and more the aspect of how disheartening it can be for a young, nice, polite InfoSec guy to be deemed a suspect. I think the InfoSec community (myself included), individually or with their company’s support, needs to focus efforts on mentoring and helping newcomers to the field. It can be a daunting place and often InfoSec folks spend more time being l33t than offering guidance and support. My .02.

       1 like

    • Jason Lackey

      Thanks EM. I love security but it really is soul crushing to meet a bright, switched on guy, the type where you can see the passion and the fire, only to see him end up stepping in it in a pretty big way. The technical side is but half the equation. Sometimes I feel it may not even be the most important half.

         0 likes

  3. Blah blah blah. Did you offer the kid a job? Did anyone try to put the kid to work doing something worthwhile? Bueller? Bueller?

    We’ve got – what? – thirty freaking years of brilliant young kids getting locked up for doing things that are worth a decent paycheck if done on contract. At what point will your industry get off it’s ass and start hiring them before they graduate to felonies? Or maybe you’re going to leave them to apprentice from blackhats until they graduate with a BS in ComSci?

    Is getting busted a CLM? Well, maybe. Mitnick, Poulsen and Lamo are doing alright so I guess it depends on what kind of career you’re looking for. It’s obvious that this kid wasn’t going to have a career with CISCO: he didn’t get called back for a second interview.

    Take a note: If this kid was serving coffee at Starbucks, you should all hang your heads in shame.

       2 likes

    • Yep the over educated underemployed young person strikes again! It was the foundation of the Egyptian revolution and the on going occupy Wallstreet. Until either we win, or the situation changes and we don’t have to protest it will only get worse and you’ll only see more of this.

      I talked with Kretsinger alot and he’s a good guy doing what he, and I believe is a legitimate form of civil disobedience. Of course its not legal, nor should it be, the fines should more match that of some one arrested during a protest. 500 bucks and an evening in the pokey.

      As these people continue to get arrested those that are left are increasingly radical. The Feds are creating a self defeating feedback loop.

         1 like

    • What a stupid post, blaming everyone else for the crimes committed by Lulzsec. What a joke. What about all the people they screwed in life, by releasing their personal information, passwords, credit card numbers, etc.

      How ironic, a group claiming they are promoting security, when they had their own website hacked by other hackers, and they get caught by using this proxy server. Obviously not as smart as they thought they were.

         2 likes

  4. Well I agree many young guys fall of the path due to the entices created in various forums about hacking. Hacking is illegal activity and must not be done by anyone in any situation. I am surprised to listen about the guys who hacked the quiz just to win Nokia N 900 this is ridiculous man. A wrong deed always yields wrong results i think all hackers who think they may escape and never get caught should remember the quotation “As you sow shall you reap”. I think its the parents who must guide their children to stay away from such activities. Feel sorry about nice guys who get trapped into hacking just due to the fake temptation

       0 likes

    • Jason Lackey

      Usman – just to be clear, while the crew from the University of Advancing Technology, and many others, were interested in the prize, they did not hack the quiz nor did they win. There were a couple of other guys who won the PWN Phones, they didn’t hack the quiz either. They won the old fashioned way, they were very smart, and very well informed on infosec.

         0 likes

  5. Sad story, but this is life. There are consequences to our actions.

    No one owes anyone anything in this life.

       1 like

    • Jason Lackey

      Hey Fuel – I would agree. Here are my thoughts:

      Stay whitehat because that is the right thing to do.

      However, if you don’t care about what is right, then at least focus on what’s smart and the smart money knows that if you do enough bad things for long enough you will eventually get caught. The cost in terms of time in jail, fines and damage to career will almost certainly be larger than any lulz were lulsy.

         1 like

  6. As one of the other guys in the picture, I would say that you all have seemed to forget that he was only accused and NOT proven to be guilty. In no place, what so ever, did it say he WAS/IS part of LulzSec; the best they (The DOJ) can do is say he is believed to be part of (Hint Hint BELIEVED != WAS/IS).

    Cody is still INNOCENT UNTIL PROVEN GUILTY.

    Also to address another point, we were not there for an interview, I showed up because I saw something about the N900 and then had a conversation with Mr. Lackey about the N900 and he was surprised that “someone in America knew a lot about the device”, The next day Cody and I showed up to talk Cisco and take a stab at the test (I only got 7 out of 10).

    Please people, until you really know what is going on, don’t talk about it. I hope you pay closer attention to your guys’ security then you guys do to words in an indictment.

    One last point
    Usman said:
    “Hacking is illegal activity and must not be done by anyone in any situation.”

    LOL WUT?!?! Hacking is not illegal at all; I do hope you are trolling. Hacking is the art of taking something and using it for another use (such as taking a TV Remote and turning it into a radio (you have to add a speaker to it)).

       1 like

    • Jason Lackey

      Thanks for posting, I appreciate you taking the time to do so. As you say, everyone, Cody included, is innocent until proven guilty. The person or people who did sony etc deserve some sort of punishment. If Cody is found innocent, never fear, we will do a story on that too and I would love to have you, Cody and the rest of the UAT crew on here telling me “I told you so!”. While I hope that this is all a big mistake the folks in the FBI usually do their homework. Regardless, please keep it whitehat, in the end it is easier that way.

         0 likes

    • You’re mistaking hardware modification with hacking.. you are sorely mistaken. Accessing a computer/network/website without the express permission of the owner is a federal offense. Even if you have permission from the owner, if you use that computer/network/website for a malicious purpose it is still a federal offense. Please refer to the following.

      Section 1030. Fraud and related activity in connection with computers

      (a) Whoever–

      (1) having knowingly accessed a computer without authorization or exceeding authorized access, and by means of such conduct having obtained information that has been determined by the United States Government pursuant to an Executive order or statute to require protection against unauthorized disclosure for reasons of national defense or foreign relations, or any restricted data, as defined in paragraph y of section 11 of the Atomic Energy Act of 1954, with reason to believe that such information so obtained could be used to the injury of the United States, or to the advantage of any foreign nation, willfully communicates, delivers, transmits, or causes to be communicated, delivered, or transmitted, or attempts to communicate, deliver, transmit or cause to be communicated, delivered, or transmitted the same to any person not entitled to receive it, or willfully retains the same and fails to deliver it to the officer or employee of the United States entitled to receive it;

      (2) intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains–

      (A) information contained in a financial record of a financial institution, or of a card issuer as defined in section 1602(n) of title 15, or contained in a file of a consumer reporting agency on a consumer, as such terms are defined in the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.);

      (B) information from any department or agency of the United States; or

      (C) information from any protected computer if the conduct involved an interstate or foreign communication;

      (3) intentionally, without authorization to access any nonpublic computer of a department or agency of the United States, accesses such a computer of that department or agency that is exclusively for the use of the Government of the United States or, in the case of a computer not exclusively for such use, is used by or for the Government of the United States and such conduct affects that use by or for the Government of the United States;

      (4) knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period;

      (5)

      (A) knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer;

      (B) intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage; or

      (C) intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage;

      (6) knowingly and with intent to defraud traffics (as defined in section 1029) in any password or similar information through which a computer may be accessed without authorization, if–

      (A) such trafficking affects interstate or foreign commerce; or

      (B) such computer is used by or for the Government of the United States;

      (7) with intent to extort from any person, firm, association, educational institution, financial institution, government entity, or other legal entity, any money or other thing of value, transmits in interstate or foreign commerce any communication containing any threat to cause damage to a protected computer;

      shall be punished as provided in subsection (c) of this section.

      (b) Whoever attempts to commit an offense under subsection (a) of this section shall be punished as provided in subsection (c) of this section.

      (c) The punishment for an offense under subsection (a) or (b) of this section is–

      (1)

      (A) a fine under this title or imprisonment for not more than ten years, or both, in the case of an offense under subsection (a)(1) of this section which does not occur after a conviction for another offense under this section, or an attempt to commit an offense punishable under this subparagraph; and

      (B) a fine under this title or imprisonment for not more than twenty years, or both, in the case of an offense under subsection (a)(1) of this section which occurs after a conviction for another offense under this section, or an attempt to commit an offense punishable under this subparagraph; and

      (2)

      (A) a fine under this title or imprisonment for not more than one year, or both, in the case of an offense under subsection (a)(2), (a)(3), (a)(5)(C), or (a)(6) of this section which does not occur after a conviction for another offense under this section, or an attempt to commit an offense punishable under this subparagraph; and

      (B) a fine under this title or imprisonment for not more than 5 years, or both, in the case of an offense under subsection (a)(2), if–

      (i) the offense was committed for purposes of commercial advantage or private financial gain;

      (ii) the offense was committed in furtherance of any criminal or tortious act in violation of the Constitution or laws of the United States or of any State; or

      (iii) the value of the information obtained exceeds $5,000;

      (C) a fine under this title or imprisonment for not more than ten years, or both, in the case of an offense under subsection (a)(2), (a)(3) or (a)(6) of this section which occurs after a conviction for another offense under this section, or an attempt to commit an offense punishable under this subparagraph; and

      (3)

      (A) a fine under this title or imprisonment for not more than five years, or both, in the case of an offense under subsection (a)(4), (a)(5)(A), (a)(5)(B), or (a)(7) of this section which does not occur after a conviction for another offense under this section, or an attempt to commit an offense punishable under this subparagraph; and

      (B) a fine under this title or imprisonment for not more than ten years, or both, in the case of an offense under subsection (a)(4), (a)(5)(A), (a)(5)(B), (a)(5)(C), or (a)(7)of this section which occurs after a conviction for another offense under this section, or an attempt to commit an offense punishable under this subparagraph; and

      [former paragraph (4) stricken effective Oct. 11, 1996].

      (d) The United States Secret Service shall, in addition to any other agency having such authority, have the authority to investigate offenses under subsections (a)(2)(A), (a)(2)(B), (a)(3), (a)(4), (a)(5), and (a)(6) of this section. Such authority of the United States Secret Service shall be exercised in accordance with an agreement which shall be entered into by the Secretary of the Treasury and the Attorney General.

      (e) As used in this section–

      (1) the term “computer” means an electronic, magnetic, optical, electrochemical, or other high speed data processing device performing logical, arithmetic, or storage functions, and includes any data storage facility or communications facility directly related to or operating in conjunction with such device, but such term does not include an automated typewriter or typesetter, a portable hand held calculator, or other similar device;

      (2) the term “protected computer” means a computer–

      (A) exclusively for the use of a financial institution or the United States Government, or, in the case of a computer not exclusively for such use, used by or for a financial institution or the United States Government and the conduct constituting the offense affects that use by or for the financial institution or the Government; or

      (B) which is used in interstate or foreign commerce or communication;

      (3) the term “State” includes the District of Columbia, the Commonwealth of Puerto Rico, and any other commonwealth, possession or territory of the United States;

      (4) the term “financial institution” means–

      (A) an institution with deposits insured by the Federal Deposit Insurance Corporation;

      (B) the Federal Reserve or a member of the Federal Reserve including any Federal Reserve Bank;

      (C) a credit union with accounts insured by the National Credit Union Administration;

      (D) a member of the Federal home loan bank system and any home loan bank;

      (E) any institution of the Farm Credit System under the Farm Credit Act of 1971;

      (F) a broker-dealer registered with the Securities and Exchange Commission pursuant to section 15 of the Securities Exchange Act of 1934;

      (G) the Securities Investor Protection Corporation;

      (H) a branch or agency of a foreign bank (as such terms are defined in paragraphs (1) and (3) of section 1(b) of the International Banking Act of 1978); and

      (I) an organization operating under section 25 or section 25(a) of the Federal Reserve Act. (5) the term “financial record” means information derived from any record held by a financial institution pertaining to a customer’s relationship with the financial institution;

      (6) the term “exceeds authorized access” means to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter;

      (7) the term “department of the United States” means the legislative or judicial branch of the Government or one of the executive departments enumerated in section 101 of title 5; and

      (8) the term “damage” means any impairment to the integrity or availability of data, a program, a system, or information, that–

      (A) causes loss aggregating at least $5,000 in value during any 1-year period to one or more individuals;

      (B) modifies or impairs, or potentially modifies or impairs, the medical examination, diagnosis, treatment, or care of one or more individuals;

      (C) causes physical injury to any person; or

      (D) threatens public health or safety; and

      (9) the term “government entity” includes the Government of the United States, any State or political subdivision of the United States, any foreign country, and any state, province, municipality, or other political subdivision of a foreign country.

      (f) This section does not prohibit any lawfully authorized investigative, protective, or intelligence activity of a law enforcement agency of the United States, a State, or a political subdivision of a State, or of an intelligence agency of the United States.

      (g) Any person who suffers damage or loss by reason of a violation of the section, may maintain a civil action against the violator to obtain compensatory damages and injunctive relief or other equitable relief. Damages for violations involving damage as defined in subsection (e)(8)(A) are limited to economic damages. No action may be brought under this subsection unless such action is begun within 2 years of the date of the act complained of or the date of the discovery of the damage.

      (h) The Attorney General and the Secretary of the Treasury shall report to the Congress annually, during the first 3 years following the date of the enactment of this subsection, concerning investigations and prosecutions under section 1030(a)(5) of title 18, United States Code.

      (Added Pub.L. 98-473, Title II, s 2102(a), Oct. 12, 1984, 98 Stat. 2190, and amended Pub.L. 99-474, s 2, Oct. 16, 1986, 100 Stat. 1213; Pub.L. 100-690, Title VII, s 7065, Nov. 18, 1988, 102 Stat. 4404; Pub.L. 101-73, Title IX, s 962(a)(5), Aug. 9, 1989, 103 Stat. 502; Pub.L. 101-647, Title XII, s 1205(e), Title XXV, s 2597(j), Title XXXV, s 3533, Nov. 29, 1990, 104 Stat. 4831, 4910, 4925; Pub.L. 103-322, Title XXIX, s 290001(b)-(f), Sept. 13, 1994, 108 Stat. 2097-2099; Pub.L. 104-___, Title II, s 201, Oct. 11, 1996, ___ Stat. ___.)

         0 likes

      • Nexusflame
        You say I mistake hardware modding for hacking, but I use hardware hacking as an example. I could have talked about making a quick fix for a flaw in RDP, editing software to make it do a new function, or finding a way to make some software do something that it was not meant to do without the need of changing the code.

        FYI the word hacking came from the Model Train Club at MIT.

        Also you copy pasta Title 18 USC 1030 without really stating what your point was. I have written many papers on Title 18 USC 1030, and have even found flaws within it and sent that info to my Senator (They have not done anything to fix the flaws). Also, in no place does Title 18 USC 1030 mention the word hack, hacking, or hacker, so what was your point again with posting it???

        I look forward to your response.

           1 like

  7. Am I right in thinking the US Constitution says everyone is innocent till proven guilty? Or has that been ripped out to suit corporations, like may of the laws in the US and the UK.

       0 likes

    • Jason Lackey

      Hi Ryan – yes, in the US everyone is innocent until proven guilty. Even those accused of hacking.

         0 likes

      • Sure, everyone is innocent until proved guilty. Unless they decide to use the PATRIOT act against you, in which case they can effectively lock you up and throw away the key. And in the “land of the brave and the home of the free” very few people care as long as they get to eat their fast food and watch their TVs.

        “Those who are prepared to sacrifice liberty for security deserve neither.”

           2 likes

  8. “Most find their way back to the path and carry on, paying taxes, raising families, going to soccer games and the like.”

    Your definition of “good guy”, love it, you are 120% a piece of the system. You have less free will than you really have. Look at that! your definition of happiness includes paying taxes!

       1 like

  9. I really question the actual value of this blog entry. And while some people are treating this as “news”, the truth is that this is just an editorial, which also means it’s subjective to Jason. And while Jason’s opinion is just as valid as anyone else’s, it still doesn’t make his entry completely factual. We’ve only been given a few bits and pieces about the case being pursued by the FBI. So no one should be going overboard with their response to this. Cody is a good guy, and is likely part of a much larger investigation. If he had a conversation with someone else that’s being investigated, he becomes a person of interest, as well. We’ll see how that falls out in the end. But I’ll go ahead and stick with the “innocent until proven guilty” approach until I hear otherwise. Jason, while your article doesn’t say it outright, you perpetuate a sense of “nice guy sadly gone off track and become a sith lord” in your post.

    These are my personal comments, not those of anyone else.

       0 likes

    • Jason Lackey

      Hi Russ – thanks for posting up, I appreciate you taking the time to do so and you make some good points.

         0 likes

  10. Having been served by the “good guys” over the last 4 years of my life, ergo the FBI and COINTELPRO, I am now living much more safely in Mexico. I was harassed and run right out of the country I was born and raised in, good old USA. My crime: I started a web log promoting world peace during the rain of Bush jr. I don’t mean to be rude or disrespectful, but you need to wake up and smell the corruption.

       1 like

  11. “hacking” is NOT illegal.. I can hack my servers all day long. Much like lighting things on fire is not illegal.. I can start a campfire all day long. It’s not until I light you on fire that “starting a fire” is a crime.

    Infosec people should know better than anyone that you should tread lightly on blindly labeling “hacking” as a crime.

       0 likes

  12. Security should be at the top of the list especially for web-based companies. It is something that must never be underestimated because there are people out there counting on your weak link to take advantage.

       0 likes

  13. Catch Me If You Can hehe

       0 likes