The hacking game

Sat, Mar 10, 2012, 00:00

IT LOOKED LIKE a fairly innocuous tweet, sent a few nights before New Year’s Eve: “@anonymouSabu – will you be releasing technical infodox about how the #Stratfor ownage went down? I sure hope so . . .” To the uninitiated, the words have little significance. But, in retrospect, a certain resonance can be detected in the message. The sender was Infodox, a “Security Researcher, Reformed Blackhat, kayaker and student”, according to his Twitter profile. The phrase “Reformed Blackhat” signalled that he used to hack illicitly.

The recipient was Sabu, the leader of LulzSec, or Lulz Security, a notorious gang of hackers who had wreaked havoc on the internet for 50 or so days earlier in 2011, targeting the sites of companies and law-enforcement agencies such as Sony, the Sun newspaper, Fox.com, the CIA, the Arizona Department of Public Safety and the UK’s Serious Organised Crime Agency. Combined, the attacks cost their victims hundreds of millions of dollars.

Sabu could look back on an extraordinary 12 months of hacks and attacks, enough to establish him and his crew of hackers as the most disruptive and high-profile members of a new generation of hacktivists, operating somewhere between online activist and online vandal, even briefly overshadowing Anonymous, the amorphous online collective out of which LulzSec had grown.

For Sabu the year began with “Operation Tunisia”, hacking the website of Ben Ali’s Tunisian government during the Arab Spring; it continued with their attention-grabbing hacking spree, which was followed by the arrest of some LulzSec members during the summer; and it culminated in another LulzSec member, Jeremy Hammond, allegedly leaking to Wikileaks millions of emails from the private US intelligence firm Stratfor.

It was this stunt, or “ownage”, that Infodox was inquiring about in his tweet. But what Infodox couldn’t have known then, though he might have suspected, was that Sabu had begun co-operating with the FBI months earlier. For Infodox this had particularly serious consequences. In the real world Infodox is Darren Martyn, a 19-year-old chemistry student from Co Galway. And on Tuesday he was one of two Irish teenagers named by US federal prosecutors as being members of LulzSec.

The revelation came in an FBI indictment filed in the district court of New York, charging five senior LulzSec members. Indicted alongside Martyn on Tuesday was a teenager from Birr, Co Offaly, Donncha O Cearbhaill, who went by the handle Palladium. The others were Chicago-based Hammond, the Stratfor leaker; Jake Davis, a British hacker known as Topiary who had been the public face of LulzSec; and another British hacker, Ryan Ackroyd. Sabu himself is a 28-year-old New Yorker, Hector Xavier Monsegur, who was charged last August; it is thought this is when he began to co-operate with the FBI.

The news that two members of the internet’s most high-profile hacking group were Irish teenagers prompted understandable surprise here. O Cearbhaill faces one count of hacking and another count of “disclosing an unlawfully intercepted wire communication”, relating to an allegation that he hacked into a garda’s personal email account and managed to access a conference call between FBI agents and officers from Scotland Yard. There is a recording of the call on YouTube. The two offences have a combined maximum 15-year sentence, but O Cearbhaill is an unlikely subject of an FBI investigation: an unassuming-looking 19-year-old Trinity medicinal chemistry student, he has a Twitter-profile photograph that shows him standing alongside Mary McAleese, and he has represented Ireland at the International Olympiads on Informatics. The son of an Offaly county councillor, his LinkedIn page says he got 505 points in the Leaving Cert. According to the FBI indictment, he was arrested last September in relation to the hacking of the Fine Gael website early last year. On Tuesday he was questioned at Terenure Garda station, in Dublin, and released without charge.

Martyn was indicted on two counts of hacking. Each count carries a potential 10-year prison sentence. After the news broke, Martyn, from Claregalway in Co Galway, posted on Boards.ieunder his Infodox handle: “Knew it would come out eventually . . . Feck. Oh well . . . I suppose one cannot hide forever from their past . . . We reallywere not too bright (oh, the wonders of hindsight) and I have been regretting it since beforeI got caught. As I have said in the past – going blackhat is probably the most stupid thing you can do. I had to learn that the hard way.” He also revealed that LulzSec member Jake Davis suspected Monsegur had begun co-operating with the FBI, as he disappeared for a few weeks last August, around the time of other LulzSec arrests.

The contrast between the small-town upbringing of O Cearbhaill and Martyn and the lives of the US LulzSec members is pronounced. Monsegur lives in a tough New York apartment block, and his father served seven years in prison for selling heroin; Hammond’s father is also in prison, awaiting trial on a charge of aggravated sexual abuse of a minor. On Monday, Monsegur tweeted a defiant message to his followers: “The federal government is run by a bunch of f**king cowards. Don’t give in to these people. Fight back. Stay strong.” A day later he was revealed to be working as an FBI informant.

For the FBI the announcement was a coup. “This is devastating to the organisation,” one FBI official was quoted as saying. “We’re chopping off the head of LulzSec.” They have good reason to publicise their success: according to the technology research firm Gartner, law-enforcement agencies tend to make arrests in only 1 per cent of cybercrime cases.

The writer Misha Glenny, whose book DarkMarketgives a definitive account of the criminal hacking underworld and the law-enforcement efforts to contain it, says the FBI’s approach is becoming commonplace. “It appears [Sabu’s] idealism was genuine, but people have to understand what it’s like when the Feds knock down your door at 4am and you’re subjected to the third degree,” he says. They can threaten you with many, many years in jail . . . That’s what would have been put to him, I’m absolutely sure. This is a standard technique that has been developed by cyber cops both in the US secret service and in the FBI.”

Glenny believes the punishment for these crimes, particularly in the US, is disproportionate: motivation is not a consideration when it comes to the draconian prison sentences. As far as the FBI is concerned, whether a hacker is seeking to steal credit-card numbers or make a political point, it’s all categorised as criminal. “What your motivation is, whether you have good reason or because you’re curious, whether you want to find out if the Pentagon has been hiding stuff about little green men or if you have a political point to make, that does not interest the FBI,” he says. “Anonymous can be seen to an extent as an authentic representative of an atomised, disaffected, young political class which is seeking to express itself in the way that it knows best, ie through the internet.”

At least one member of Ireland’s hacking community was unsurprised that LulzSec had an Irish member. Seán Ó Briain runs iNetizen.org, which covers hacking culture. In January he hosted CampusCon, a conference for hacking enthusiasts in his native Waterford, inviting speakers from across Ireland and the UK. One of the speakers was Martyn, whom Ó Briain describes as “a really, really nice guy”.

Ó Briain suspected the group had an Irish member after reading some leaked LulzSec chat logs last year. “I could see that one of the guys mentioned the Eircom webhacker, which was a well-known application from a few years back that took advantage of a very weak algorithm for the Eircom wireless routers. As soon as I saw that mentioned, I knew that this guy must have been Irish. We were all trying to figure out who this guy was; then it turned out there were two of them.”

Ó Briain engages in what’s known as white-hat hacking, which is generally benign and positively motivated. He engages in legitimate hacks on dedicated servers and software, and he sets up challenges for other white-hat hackers to engage in. As a hobby, it is misunderstood: the fascination lies in the technical challenge. Sometimes hackers engage in black-hat hacking to test their skills, not to mention the exhilaration of seeing their attacks publicised.

Jeffrey Roe and Martin Mitchell attended Ó Briain’s CampusCon, and in many ways they represent the mainstream, hobbyist face of hacking. “For us, hacking is just about being creative, making and constructing,” says Mitchell. “Which is great: it’s traditionally been more in a digital sense, in programming and electronics, but now people are adapting it for crafting too, making things.” Roe points out that the word hacking has been reappropriated to mean any sort of ingenious short cut or workaround.

The pair are uncomfortable with how events such as the LulzSec arrests affect the perception of their own pastime, and they are wary of the potential negative associations. An interest in information security shouldn’t be seen as disreputable, they point out. Indeed, anyone who works in the technology sector will emphasise the value of hacking as a skill: one Irish technology entrepreneur illustrates the advantages. “On one occasion the head of our operations team hacked into one of our own servers to regain control after someone accidentally locked out all access,” he says. In this light the charges against Martyn and O Cearbhaill are all the more unfortunate: they have highly prized talents that are likely to ensure they would be in high demand in a tech-focused economy.

During his research for DarkMarket, Misha Glenny communicated with many Irish hackers. “Be proud on one level that you’ve got a lot of skilled young characters, whose potential contribution to the Irish economy is significant,” he says. “But what that means is that the Irish State has not yet worked out how to mobilise the computer skills that exist.”

The solution, he suggests, is a pragmatic, positive approach. “The issue is that you have all these young kids who are developing their skills on the internet, and who are exploring as adolescents do, and sometimes they’re very, very brilliant . . . We need to engage with hackers. We need to spot them, we need to help them. We should not be treating them solely as criminals.”

Hack talk: Break through the jargon

Black hatIllicit, often criminal, hacking, sometimes with the intent to cause damage or seek profit.

White hatPositively motivated hacking, often discovering exploits and informing victims rather than publicising them.

Grey hatNothing is ever black or white, especially not in hacking, so grey hat refers to the range of activity that falls between the two.

CrackersCriminal hackers, often involved in large-scale credit-card fraud or other money-making hacking activities.

DOSDenial-of-service attack, a brute-force assault on a website by bombarding it with communication requests, overloading the servers and effectively knocking out the site.

AntiSecA series of attacks orchestrated by former Lulzsec members in collaboration with Anonymous members.

Ownage/pwnage/PwnedThere is no easy definition for this widely used phrase, but it suggests establishing dominance over, for example, a company server.

This hacking life ‘The farther you go beyond legal limits, the more you hide’

Matthieu Bouthors takes a quick glance around the cafe, a busy place near Saint-Lazare train station in Paris where office workers and students are pouring in for their morning coffee. At our corner table, I’ve asked whether he sees anything here that he could work with.

He thumbs his iPhone and places it back on the table. “Free Wi-Fi, but it’s not secured,” he replies. “It’s fairly easy to look at what everyone else is doing, to access all the information from their internet session.” Email? “Depending on how it’s set up. You have plenty of possibilities.”

Bouthors, a 27-year-old Parisian, belongs to a small collective named hackerzvoice. With a core of 20 young hackers, and 10 more who “come and go”, the group holds monthly meetings and an annual Hack Night where members share big discoveries, give workshops and pool ideas on finding chinks in the armour of digital and online security.

Hackerzvoice describes itself as “99 per cent white hat”; slang for ethical hacking whose motivation is either to improve security or simply the thrill of the breach itself.

A black-hat hacker sets out to inflict damage or make money, and a hacktivist works in the service of ideology. But for Bouthors, the goal is the very act of picking digital locks and sharing the information.

“A hacker is someone who likes riddles, mysteries, who likes to think through problems. Let’s say I decide to look at the website of this bank next door, to see how it works. It’s not going to tell me, ‘There are interesting things there, but not there.’ I have to work it out. It’s a riddle.”

At a recent hackerzvoice meeting, Bouthors – an engaging, confident speaker who studied IT engineering and works for a tech firm by day – gave a presentation on how images could be used to extract information from people’s computers. He recently identified a vulnerability in wikis – websites that allow users to add or modify content through their web browsers – which allowed him to copy passwords and pass himself off as the site’s administrator. Another member of the group recently discovered how to duplicate a Métro ticket.

While hackerzvoice is at pains to stress its ethical stance, Bouthors concedes that nearly all hacking skirts legal boundaries. “We’re clearly just about crossing a line,” he says. “We’re always at the limit, from a legal point of view. The farther people push beyond that limit, the more they tend to lie low. Take Anonymous. That could never work with a structure like ours. It would last two days. The farther you move beyond the legal limits, the more you tend to hide.”

When members of the collective find a vulnerability in a website, they usually inform the company or organisation and advise it to fix the flaw. But Bouthors admits opinion is divided on this; some members prefer to make the breach public even before it has been patched.

“We don’t impose rules on people. Hackers are very independent people. If you set them a limit, they’ll want to get around it.” That idea – pushing limits, skirting boundaries – is the essence of hacking philosophy, he says. And for him, it’s also an end in itself. “The idea is to identify a vulnerability. Once you have identified it, you have what you want. You have solved the riddle. That’s where the satisfaction lies.”

Ruadhán Mac Cormaic