I was disheartened to read about the 22 September arrest of alleged LulzSec/Anonymous member Cody Kretsinger (known by the handle ‘recursion’) by the FBI as a suspect in the SQL injection attacks on multiple Sony websites. Note that I was not sad to see the good guys bust a cybercriminal, but I was sad to see a nice guy I had met and talked to briefly at BlackHat Las Vegas 2011 turn out to be a suspect wanted by the FBI.
One of the things we at Cisco try to do is reach out to those studying infosec and wanting to make a career in security. At BlackHat Cisco had a contest where the winner got a Pwnie Express PWN Phone, effectively a modified Nokia N900 with some pentesting software loaded. A group of guys, volunteers with the show from an IT school, were fascinated by the PWN Phone – possibly because in their circle a couple of them had Nokia N900s, a device relatively unknown in North America but somewhat popular in certain hacking circles due to the fact that its OS is Linux-based and thus can be made to run things like metasploit (like the PWN Phone does).
These guys came over and took our quiz, which is what we were using for the contest. Nice guys: polite, friendly, interested in security, networking and IT in general. They all seemed like the type that you might want to have at your company doing IT.
Except that at least one of them seems to have found himself on the dark side, a mistake that may cost him 15 years.
When you are young, it is easy to fall off the true path. Many are fortunate; their transgressions are of the sort that don’t generate logs, never cause too much harm and don’t get them caught. Most find their way back to the path and carry on, paying taxes, raising families, going to soccer games and the like.
One thing that could lead to a belief in ‘hackish’ invincibility, and which could greatly enhance the pull of the dark side, would be a truly untraceable proxy. There are a number of pseudo-anonymous (note the fact that I am not using the term anonymous) proxy services. Recursion used ‘HMA’ (warning: URL contains salty language). In the end, ‘HMA’ didn’t do what its domain name purported, but there are many others. While these services may in fact mask your IP in outbound connections, they do see your IP on inbound connections.
As HMA, the proxy/VPN service that recursion used, states in their blog:
Completely reasonable and exactly the same thing your ISP or mobile operator or anyone else in telecommunications might state. When the feds come knocking with the right papers, the kimono opens right up. Logs and in some cases actual traffic may be captured and forwarded.
If you spend time on forums or IRC, you know that folks on the net can be petty and vindictive. However, if you get in the way of big money or count coup on the feds or law enforcement, the petty noise of IRC will be like a burnt match next to the sun when compared to the great vengeance and furious anger governments and corporations will bring upon you. Governments and large corporations have little sense of humor when threatened and have considerable time, money and other resources. Normally the infosec scales are balanced in the favor of the attacker, who needs to be right only once. However, once you have the full attention of the FBI and others, the tide has turned. All you have to do is make one mistake and let them find it, and it is game over.