back to article UK cops: How we sniffed out convicted AnonOps admin 'Nerdo'

Analysis of IRC logs and open source intelligence played a key role in the successful police prosecution that led up the conviction of a member of Anonymous for conspiracy to launch denial of service attacks against PayPal and other firms. Christopher "Nerdo" Weatherhead, 22, was convicted on one count of conspiracy to impair …

COMMENTS

This topic is closed for new posts.

Page:

Thumb Up

good work

despite poor funding from the gov.

18
3
Trollface

Re: good work

Good work? They signed onto a chat room and googled the names. It's not rocket science!

7
16
Meh

Re: good work

I noticed that it didn't involve any brain surgery either.

5
0

Re: good work

Also, nobody changed any sprockets on a cassette, so no bicycle maintenance either...

0
0
Anonymous Coward

Re: good work

It's called an investigation - and it is a very good example of why things like the snoopers charter are completely unnecessary

26
1
Anonymous Coward

Re: good work

Yes, Good work anonymous! Keep up the fight!

2
2
Facepalm

"And I would have got away with it too, if it hadn't been for my X-Box gamer tag

and you meddling script kids!"

17
0
Silver badge

IRC is not secure

And it never has been. It's quite easy to sniff entire conversations off the wire.

2
0
Silver badge

Re: IRC is not secure

I don't think we're dealing with expert hackers here who thoroughly considered the link back to themselves.

Tor and Truecrypt use wouldn't be enough to cover your tracks online on their own. Tor, in particular, can be inherently leaky unless you're paranoid about what packets you send out over it (accidentally leave your IM/Skype/Email running? Whoops, there's identification right there). These people were caught by unencrypted browser histories (by the sound of it, which suggests use of non-full-disk encryption, or encrypted dual-systems - TrueCrypt's "plausible deniability" - where activities spilled over into unencrypted parts, or the part covered by the password they *did* share, of the disks).

And leaving proof-of-hosting just laying around on encrypted partitions? That's just amateur.

Organising over IRC? In comparison that's quite minot, but that's just asking for trouble too, because you leave full logs wherever you go - even accidentally - because a lot of people record IRC 24/7 so they can go to sleep and "catch up" on what happened later. Coordinating the attacks over IRC with random, unverified people (who were probably NOT using such methods to keep their identities hidden) seems a bit daft - especially if some of those people then moved onto social networks to pull in more people. And even using the same username - though that's hardly hard evidence, it suggests a complete lack of thought between connections of you and your activities. You couldn't convict on that alone, but if it gets to the point that there's some decent suspicion you were involved and YOUR Internet name has always been X and Internet name X appears on connections associated with the suspicion, the hosting, the IRC admins, etc. then it's just another nail in your coffin.

That said, not much would have saved them by that point anyway. I suspect that if they *didn't* hand over their TrueCrypt details, that's enough to convict them anyway (perverting the course of justice by failing to provide evidence - though there's a question of self-incrimination - or one of the newer laws would handle that quite nicely). So they weren't going to get away with it once it had come down to a handful of people of interest, and giving away your username, geographical location, and leaving a trail of history since your teenage years on those same details would give police an address in a matter of minutes (one phone call to XBox Live, I would think). Even if it was only as a suspect, you would be having a word with the boys in blue within moments and then explaining why you won't decrypt all those hard drives you have is going to be tricky to make stand up in court.

The story could well have been very different, but only if they actually knew enough about computers, and bothered to try to hide their identities properly. But even then, just finding evidence of connecting to the IRC channel and (then) a TrueCrypt volume that you refuse to decrypt is enough to throw you in jail.

They were sloppy, and got caught, and probably thought they were immune right until the verdict. One of the reasons I would be *useless* in any sort of online activism. I often find programs connecting that I'd forgotten all about (even with software firewalls that warn me), have DNS settings that for years send DNS requests to my old ISP's server, etc.

An example? Windows Vista and above talks to a server to establish the "Internet Connection" or not status of your connections. There are registry entries to tweak what server it talks to and what it expects to find in a named file on that server. I tweaked mine to point to my own private server (the theory being, if anyone is stupid enough to steal and then turn on my machine while it's on the Internet, I would capture their IP from the Apache logs), and then forgot about it for ages until I wondered why my icons never showed Internet connectivity. That's just the kind of stupid stuff that would catch me out before I even started.

19
2
Silver badge

Re: IRC is not secure

Depends on the network. It's possible to use SSL, though of course you need SSL between all the nodes as well as from client to server.

I've also had fun with various encryption methods that make you and others with the key able to see the text, but everyone else in-channel sees a load of g&7b6^&f7&^fvk8.

Of couse, as the post above mentions, this isn't perfect!

2
0
Silver badge

Re: IRC is not secure

Using TrueCrypt is surely a WTF. Everyone knows what TrueCrypt is. The risk is you somehow drop the fact you've used it. Then you are screwed.

You are better off wiping the machine after use after dumping persistent data (tools, etc) on a micro sd card encrypted. A micro sd card can be swallowed or destroyed easy. Encrypting the files on the card with your own algorithms (over and above mainstream ones if you must) and disguising them as png files and the like, and setting up a context for them to exist..oh look they are pngs in the texture folder of a game you are writing. I know rolling your own encryption algorithms is frowned upon, but the obscurity side of it seems more secure. I mean it's not like they are going to be setting actual experts on your machine for years to figure out what's going on.

I am not inclined to break the law and haven't done so, so what do I know, but that's what I would do.

Oh and hide a legitimate laptop stuffed with legitimate files under the floorboard in the attic. That'll confuse them for a time. They'll probably assign about 3 actual experts to your case, so just create 5 time-wasting lines of red herrings.

5
4
Silver badge
Big Brother

Re: IRC is not secure

I remember reading about someone who booted his PC off a minimal unix USB stick (this was a while back when sizes weren't so great) which he kept away from the PC - the main OS and his personal files were held on an encrypted partition physically held inside the swap file of the windows install on the machine... He also had enough 'crap' in windows startup to cause most of this swap to be used.

So...... He plugs his USB stick in, boots up into unix and all is there.

If someone else boots up, they get a 'normal' windows installation, and end up overwriting the swap file data.

Even if someone takes a forensic copy of the disk without booting it, all they'll see is a swap file full of 'meaningless' data

7
0
Bronze badge
Alert

Re: IRC is not secure

> I don't think we're dealing with expert hackers here who

> thoroughly considered the link back to themselves.

An "expert hacker" being someone who has been caught once, and learned the hard way that the ones that get caught are the ones that mistakenly believe they will never get caught.

EXPERT HACKER QUIZ: Choose the best answer:

I will never get caught because:

1) The authorities are too stupid,

2) I am too smart

3) Only a small fraction get caught anyway

4) I am too paranoid

ANSWERS:

If you answered 1-3, that knock at the door is the police

If you answered (4), you are a good hacker.

If you are too paranoid to even participate in the survey then you may be an expert hacker.

Thank You for taking our survey.

10
0
Anonymous Coward

Re: IRC is not secure

Maybe they just caught the sloppy ones.

1
0
Anonymous Coward

Re: IRC is not secure

If I was going to try something like this, I would boot off of a live CD and a hard drive would not even be involved.

1
0
Silver badge

@Gale

Encryption is one option, but I think the most obvious one is getting on a network which fully hides your hostmasks. It doesn't fully say but if I read the article right they didn't even have this kind of protection, which would be kind of amateurish when right.

0
0
Boffin

Re: IRC is not secure

...should have used BBM innit bled.

0
0
Silver badge

NIC?

Not "nick"?

9
0
Bronze badge
Joke

Re: NIC?

Easy to get confused once you've found out their MAC address...

3
0
Silver badge
Holmes

Re: NIC?

But what if they have a PC?

1
0
Facepalm

Re: NIC?

...."'ello 'ello, you're NIC'd!!"

1
0
FAIL

"The wider collective might claim to be leaderless," Massie explained. "But the IRC channel had a power structure and hierarchy that was clear from looking at what was going on."

And this is new how? Every mob has its instigators - what do you think the ablative armor in front is for if not for rhetorical hiding behind?

3
2
Thumb Up

Anyone that used LOIC

Clearly your card is marked too, and at minimum permanently on a list, possibly even getting a visit from the plod ... I hope it was worth it...

5
3
Anonymous Coward

Re: Anyone that used LOIC

Plausible deniability - just make sure you have a zombie Windows PC to blame.

0
2
FAIL

So now the cops give away THEIR OWN secrets

That doesn't seem like a very good idea

3
2
Anonymous Coward

Re: So now the cops give away THEIR OWN secrets

But they're dealing with conspiracy theorists who will immediately assume that because the police are telling everyone that they can find out all they need from IRC and old gamer tags then that is because they want peopel to think those methods are insercure and stop using them because in reality they are so secure the police can't trace you if you do that - hence they'll all flood onto IRC with old gamer tags ... and run straight into the double-conspiracy trap that's been set.

N.b. if you think this is far fetched ... I remember a few years ago when MINT telecom came up with a global PAYG SIM card and the US authorities made a big deal about how terrorists could by the SIMs for cash and they wouldn't be traceable. Turned out that Al-Quaeda believed this to such an extent that later a US general commented that they monitored the Afghan/Iraqi mobile networks and as soon as they saw a MINT SIM card connecting they sent in the forces .... only problem was he wasn't meant to say that as immediately Al-Quaeda stop using mobiles completely!

8
0
Anonymous Coward

Re: So now the cops give away THEIR OWN secrets

It's hardly a secret, and in a modern free nation the police are supposed to tell you what information they have and how they got it, to make sure they didn't just magic it out of thin air or acquire it by plugging your genitals into a car battery.

13
1
Facepalm

Re: AC@13:46

You forgot the ignition coil between the car battery and the genitals.

0
1

Re: So now the cops give away THEIR OWN secrets

Yes, they do have to give that info in a court but NOT in a news conference!!

1
2
Bronze badge

Re: AC@13:46...You forgot the ignition coil between the car battery and the genitals. House Rules

Or the hand held tazer!

0
0
Facepalm

Re: So now the cops give away THEIR OWN secrets

@AC 12:19 You so should not have gone anon. That post needed a helicopters approaching icon right there.

0
0
Bronze badge
Coat

@harmjschoonhoven Re: AC@13:46

Nah. You want the good low voltage with that high chunky current. Not the other way 'round.

0
0
Silver badge

Re: info in a court but NOT in a news conference!!

Court records are open records or the courts cease to serve their purpose. Might as well get a few kudos in public instead of just letting word spread on the back streets of the interwebs.

0
0
Silver badge

PC Plod is as PC Plod does ...... and he just takes and follows orders and is a puppet to muppets?

The elephant in the room which makes a mockery of justice and fools of law officers ...... and extraordinarily renders politicians as knowing accessories to fraud and crime and unfit for good governance purpose, ...... http://www.telegraph.co.uk/finance/newsbysector/banksandfinance/9743839/Banks-are-too-big-to-prosecute-says-FSAs-Andrew-Bailey.html?

Is that collusion or a conspiracy?

2
3

Re: PC Plod is as PC Plod does .. and he just takes and follows orders and is a puppet to muppets?

Ah, noticed that too, eh? Police very quick to go after 'little' easy targets, not so quick or willing to take down the *real* crims.

Is it collusion or conspiracy?

It's answer D: ALL OF THE ABOVE.

2
0
Anonymous Coward

So next time copy some poor sods xbox gamer tag use that as your irc name and sit back and watch pc plod 'find' kiddie porn on his/her machine.

1
2
Big Brother

Totally. All the police do all day is cook up ways to frame nobodies because they hate the public and have nothing better to do. You are so right.

2
1
Silver badge
Linux

Folks, no technology, platform or software is secure if used inappropriately.

6
2
Anonymous Coward

"no technology, platform or software is secure if used inappropriately." But no technology, platform or software is totally secure, even when used appropriately.

2
1
Windows

Who's next???

Christopher "Nerdo" Weatherhead, 22, was convicted on one count of conspiracy to impair the operation of computers

So when will the inventors of TIFKAM and Ribbon by up in front of the beak?

7
2
Silver badge
Windows

Re: Who's next???

If you haven't figured out how to use the Ribbon up to its potential by now you've really dropped the ball. A completely customizable interface that gives you instant access to all the features you want to utilize: Try using all the opportunities Ribbon offers before you whinge.

4
15
Coat

Re: Who's next???

There must be a case against the members of project Longhorn though.

3
1
Bronze badge
Mushroom

Put the little snot away for a long time.

As well as his other playmates. 10 years would be a good start.

4
5
Anonymous Coward

Another dirtbag bites the dust

He ain't so anonymous any more. Send them all to prison.

4
6

Dear UK gov.

See? What you need are diligent, skilful, investigators who are well-versed in their area of investigation.

You don't need to put the entire civilian population under a blanket of constant surveillance to catch criminals. Laziness is not an excuse for creating a police state.

Yours sincerely,

Everyone.

14
0
Anonymous Coward

Trucrypt != Guilt

I really object to statements like "Using TrueCrypt is surely a WTF. Everyone knows what TrueCrypt is." Since when did being security conscious mean you are guilty of a crime?

We are getting to the stage where everyone *should* be encrypting their data to stop people leaving it around on memory sticks and laptops and then here you are saying that it mean someone must be up to no good!?

utterly absurd

10
0
Silver badge
FAIL

Re: Trucrypt != Guilt

Truecrypt has a" Hidden Volume" function, but if you let others know you are using it, it defeats the advantage of that function. Under UK law (unlike US law) you can be compelled to provide a key. Failure to provide the key is crime in-and-of itself (punishable by two years in prison).

So, using truecrypt is not a crime. Failure to provide the key is.

5
0
Silver badge

using well-established nicknames that they'd also used as XBox gaming tags

Hahahahahahaha!

Muppets.

10
0
Silver badge
Thumb Up

Police preform proper investigation shocker!

Good police work catches criminals, requires no new laws!

8
0
Silver badge
Unhappy

Re: Police preform proper investigation shocker!

I would agree totally, but I must add the rider that it's BAD work to publicise your methods and explain where the ungodly goofed, 'cos that means 2013's ungodly probably won't make the same slip...

1
0

Page:

This topic is closed for new posts.

Forums