back to article UK cops: How we sniffed out convicted AnonOps admin 'Nerdo'

Analysis of IRC logs and open source intelligence played a key role in the successful police prosecution that led up the conviction of a member of Anonymous for conspiracy to launch denial of service attacks against PayPal and other firms. Christopher "Nerdo" Weatherhead, 22, was convicted on one count of conspiracy to impair …

COMMENTS

This topic is closed for new posts.
  1. Justin Stringfellow
    Thumb Up

    good work

    despite poor funding from the gov.

    1. DanDanDan
      Trollface

      Re: good work

      Good work? They signed onto a chat room and googled the names. It's not rocket science!

      1. Justin Stringfellow
        Meh

        Re: good work

        I noticed that it didn't involve any brain surgery either.

        1. Jon Double Nice

          Re: good work

          Also, nobody changed any sprockets on a cassette, so no bicycle maintenance either...

          1. Anonymous Coward
            Anonymous Coward

            Re: good work

            It's called an investigation - and it is a very good example of why things like the snoopers charter are completely unnecessary

    2. Anonymous Coward
      Anonymous Coward

      Re: good work

      Yes, Good work anonymous! Keep up the fight!

  2. Smallbrainfield
    Facepalm

    "And I would have got away with it too, if it hadn't been for my X-Box gamer tag

    and you meddling script kids!"

  3. Crisp

    IRC is not secure

    And it never has been. It's quite easy to sniff entire conversations off the wire.

    1. Lee Dowling Silver badge

      Re: IRC is not secure

      I don't think we're dealing with expert hackers here who thoroughly considered the link back to themselves.

      Tor and Truecrypt use wouldn't be enough to cover your tracks online on their own. Tor, in particular, can be inherently leaky unless you're paranoid about what packets you send out over it (accidentally leave your IM/Skype/Email running? Whoops, there's identification right there). These people were caught by unencrypted browser histories (by the sound of it, which suggests use of non-full-disk encryption, or encrypted dual-systems - TrueCrypt's "plausible deniability" - where activities spilled over into unencrypted parts, or the part covered by the password they *did* share, of the disks).

      And leaving proof-of-hosting just laying around on encrypted partitions? That's just amateur.

      Organising over IRC? In comparison that's quite minot, but that's just asking for trouble too, because you leave full logs wherever you go - even accidentally - because a lot of people record IRC 24/7 so they can go to sleep and "catch up" on what happened later. Coordinating the attacks over IRC with random, unverified people (who were probably NOT using such methods to keep their identities hidden) seems a bit daft - especially if some of those people then moved onto social networks to pull in more people. And even using the same username - though that's hardly hard evidence, it suggests a complete lack of thought between connections of you and your activities. You couldn't convict on that alone, but if it gets to the point that there's some decent suspicion you were involved and YOUR Internet name has always been X and Internet name X appears on connections associated with the suspicion, the hosting, the IRC admins, etc. then it's just another nail in your coffin.

      That said, not much would have saved them by that point anyway. I suspect that if they *didn't* hand over their TrueCrypt details, that's enough to convict them anyway (perverting the course of justice by failing to provide evidence - though there's a question of self-incrimination - or one of the newer laws would handle that quite nicely). So they weren't going to get away with it once it had come down to a handful of people of interest, and giving away your username, geographical location, and leaving a trail of history since your teenage years on those same details would give police an address in a matter of minutes (one phone call to XBox Live, I would think). Even if it was only as a suspect, you would be having a word with the boys in blue within moments and then explaining why you won't decrypt all those hard drives you have is going to be tricky to make stand up in court.

      The story could well have been very different, but only if they actually knew enough about computers, and bothered to try to hide their identities properly. But even then, just finding evidence of connecting to the IRC channel and (then) a TrueCrypt volume that you refuse to decrypt is enough to throw you in jail.

      They were sloppy, and got caught, and probably thought they were immune right until the verdict. One of the reasons I would be *useless* in any sort of online activism. I often find programs connecting that I'd forgotten all about (even with software firewalls that warn me), have DNS settings that for years send DNS requests to my old ISP's server, etc.

      An example? Windows Vista and above talks to a server to establish the "Internet Connection" or not status of your connections. There are registry entries to tweak what server it talks to and what it expects to find in a named file on that server. I tweaked mine to point to my own private server (the theory being, if anyone is stupid enough to steal and then turn on my machine while it's on the Internet, I would capture their IP from the Apache logs), and then forgot about it for ages until I wondered why my icons never showed Internet connectivity. That's just the kind of stupid stuff that would catch me out before I even started.

      1. NomNomNom

        Re: IRC is not secure

        Using TrueCrypt is surely a WTF. Everyone knows what TrueCrypt is. The risk is you somehow drop the fact you've used it. Then you are screwed.

        You are better off wiping the machine after use after dumping persistent data (tools, etc) on a micro sd card encrypted. A micro sd card can be swallowed or destroyed easy. Encrypting the files on the card with your own algorithms (over and above mainstream ones if you must) and disguising them as png files and the like, and setting up a context for them to exist..oh look they are pngs in the texture folder of a game you are writing. I know rolling your own encryption algorithms is frowned upon, but the obscurity side of it seems more secure. I mean it's not like they are going to be setting actual experts on your machine for years to figure out what's going on.

        I am not inclined to break the law and haven't done so, so what do I know, but that's what I would do.

        Oh and hide a legitimate laptop stuffed with legitimate files under the floorboard in the attic. That'll confuse them for a time. They'll probably assign about 3 actual experts to your case, so just create 5 time-wasting lines of red herrings.

        1. Jamie Jones Silver badge
          Big Brother

          Re: IRC is not secure

          I remember reading about someone who booted his PC off a minimal unix USB stick (this was a while back when sizes weren't so great) which he kept away from the PC - the main OS and his personal files were held on an encrypted partition physically held inside the swap file of the windows install on the machine... He also had enough 'crap' in windows startup to cause most of this swap to be used.

          So...... He plugs his USB stick in, boots up into unix and all is there.

          If someone else boots up, they get a 'normal' windows installation, and end up overwriting the swap file data.

          Even if someone takes a forensic copy of the disk without booting it, all they'll see is a swap file full of 'meaningless' data

          1. Anonymous Coward
            Anonymous Coward

            Re: IRC is not secure

            If I was going to try something like this, I would boot off of a live CD and a hard drive would not even be involved.

      2. BillG
        Alert

        Re: IRC is not secure

        > I don't think we're dealing with expert hackers here who

        > thoroughly considered the link back to themselves.

        An "expert hacker" being someone who has been caught once, and learned the hard way that the ones that get caught are the ones that mistakenly believe they will never get caught.

        EXPERT HACKER QUIZ: Choose the best answer:

        I will never get caught because:

        1) The authorities are too stupid,

        2) I am too smart

        3) Only a small fraction get caught anyway

        4) I am too paranoid

        ANSWERS:

        If you answered 1-3, that knock at the door is the police

        If you answered (4), you are a good hacker.

        If you are too paranoid to even participate in the survey then you may be an expert hacker.

        Thank You for taking our survey.

      3. Anonymous Coward
        Anonymous Coward

        Re: IRC is not secure

        Maybe they just caught the sloppy ones.

    2. M Gale

      Re: IRC is not secure

      Depends on the network. It's possible to use SSL, though of course you need SSL between all the nodes as well as from client to server.

      I've also had fun with various encryption methods that make you and others with the key able to see the text, but everyone else in-channel sees a load of g&7b6^&f7&^fvk8.

      Of couse, as the post above mentions, this isn't perfect!

      1. Anonymous Coward
        Anonymous Coward

        @Gale

        Encryption is one option, but I think the most obvious one is getting on a network which fully hides your hostmasks. It doesn't fully say but if I read the article right they didn't even have this kind of protection, which would be kind of amateurish when right.

    3. Derezed
      Boffin

      Re: IRC is not secure

      ...should have used BBM innit bled.

  4. M Gale

    NIC?

    Not "nick"?

    1. Anonymous Coward
      Joke

      Re: NIC?

      Easy to get confused once you've found out their MAC address...

      1. Graham Dawson Silver badge
        Holmes

        Re: NIC?

        But what if they have a PC?

    2. Mr_Blister
      Facepalm

      Re: NIC?

      ...."'ello 'ello, you're NIC'd!!"

  5. Quinch
    FAIL

    "The wider collective might claim to be leaderless," Massie explained. "But the IRC channel had a power structure and hierarchy that was clear from looking at what was going on."

    And this is new how? Every mob has its instigators - what do you think the ablative armor in front is for if not for rhetorical hiding behind?

  6. Anonymous Coward
    Thumb Up

    Anyone that used LOIC

    Clearly your card is marked too, and at minimum permanently on a list, possibly even getting a visit from the plod ... I hope it was worth it...

    1. Anonymous Coward
      Anonymous Coward

      Re: Anyone that used LOIC

      Plausible deniability - just make sure you have a zombie Windows PC to blame.

  7. banjomike
    FAIL

    So now the cops give away THEIR OWN secrets

    That doesn't seem like a very good idea

    1. Anonymous Coward
      Anonymous Coward

      Re: So now the cops give away THEIR OWN secrets

      But they're dealing with conspiracy theorists who will immediately assume that because the police are telling everyone that they can find out all they need from IRC and old gamer tags then that is because they want peopel to think those methods are insercure and stop using them because in reality they are so secure the police can't trace you if you do that - hence they'll all flood onto IRC with old gamer tags ... and run straight into the double-conspiracy trap that's been set.

      N.b. if you think this is far fetched ... I remember a few years ago when MINT telecom came up with a global PAYG SIM card and the US authorities made a big deal about how terrorists could by the SIMs for cash and they wouldn't be traceable. Turned out that Al-Quaeda believed this to such an extent that later a US general commented that they monitored the Afghan/Iraqi mobile networks and as soon as they saw a MINT SIM card connecting they sent in the forces .... only problem was he wasn't meant to say that as immediately Al-Quaeda stop using mobiles completely!

      1. Derezed
        Facepalm

        Re: So now the cops give away THEIR OWN secrets

        @AC 12:19 You so should not have gone anon. That post needed a helicopters approaching icon right there.

    2. Anonymous Coward
      Anonymous Coward

      Re: So now the cops give away THEIR OWN secrets

      It's hardly a secret, and in a modern free nation the police are supposed to tell you what information they have and how they got it, to make sure they didn't just magic it out of thin air or acquire it by plugging your genitals into a car battery.

      1. harmjschoonhoven
        Facepalm

        Re: AC@13:46

        You forgot the ignition coil between the car battery and the genitals.

        1. Fatman

          Re: AC@13:46...You forgot the ignition coil between the car battery and the genitals. House Rules

          Or the hand held tazer!

        2. Rick Giles
          Coat

          @harmjschoonhoven Re: AC@13:46

          Nah. You want the good low voltage with that high chunky current. Not the other way 'round.

      2. banjomike

        Re: So now the cops give away THEIR OWN secrets

        Yes, they do have to give that info in a court but NOT in a news conference!!

        1. Tom 13

          Re: info in a court but NOT in a news conference!!

          Court records are open records or the courts cease to serve their purpose. Might as well get a few kudos in public instead of just letting word spread on the back streets of the interwebs.

  8. amanfromMars 1 Silver badge

    PC Plod is as PC Plod does ...... and he just takes and follows orders and is a puppet to muppets?

    The elephant in the room which makes a mockery of justice and fools of law officers ...... and extraordinarily renders politicians as knowing accessories to fraud and crime and unfit for good governance purpose, ...... http://www.telegraph.co.uk/finance/newsbysector/banksandfinance/9743839/Banks-are-too-big-to-prosecute-says-FSAs-Andrew-Bailey.html?

    Is that collusion or a conspiracy?

    1. Wombling_Free

      Re: PC Plod is as PC Plod does .. and he just takes and follows orders and is a puppet to muppets?

      Ah, noticed that too, eh? Police very quick to go after 'little' easy targets, not so quick or willing to take down the *real* crims.

      Is it collusion or conspiracy?

      It's answer D: ALL OF THE ABOVE.

  9. Anonymous Coward
    Anonymous Coward

    So next time copy some poor sods xbox gamer tag use that as your irc name and sit back and watch pc plod 'find' kiddie porn on his/her machine.

    1. Derezed
      Big Brother

      Totally. All the police do all day is cook up ways to frame nobodies because they hate the public and have nothing better to do. You are so right.

  10. NoneSuch Silver badge
    Linux

    Folks, no technology, platform or software is secure if used inappropriately.

    1. Anonymous Coward
      Anonymous Coward

      "no technology, platform or software is secure if used inappropriately." But no technology, platform or software is totally secure, even when used appropriately.

  11. Silverburn
    Windows

    Who's next???

    Christopher "Nerdo" Weatherhead, 22, was convicted on one count of conspiracy to impair the operation of computers

    So when will the inventors of TIFKAM and Ribbon by up in front of the beak?

    1. Don Jefe
      Windows

      Re: Who's next???

      If you haven't figured out how to use the Ribbon up to its potential by now you've really dropped the ball. A completely customizable interface that gives you instant access to all the features you want to utilize: Try using all the opportunities Ribbon offers before you whinge.

      1. Anonymous Coward
        Coat

        Re: Who's next???

        There must be a case against the members of project Longhorn though.

  12. ItsNotMe
    Mushroom

    Put the little snot away for a long time.

    As well as his other playmates. 10 years would be a good start.

  13. Anonymous Coward
    Anonymous Coward

    Another dirtbag bites the dust

    He ain't so anonymous any more. Send them all to prison.

  14. bluest.one

    Dear UK gov.

    See? What you need are diligent, skilful, investigators who are well-versed in their area of investigation.

    You don't need to put the entire civilian population under a blanket of constant surveillance to catch criminals. Laziness is not an excuse for creating a police state.

    Yours sincerely,

    Everyone.

  15. Anonymous Coward
    Anonymous Coward

    Trucrypt != Guilt

    I really object to statements like "Using TrueCrypt is surely a WTF. Everyone knows what TrueCrypt is." Since when did being security conscious mean you are guilty of a crime?

    We are getting to the stage where everyone *should* be encrypting their data to stop people leaving it around on memory sticks and laptops and then here you are saying that it mean someone must be up to no good!?

    utterly absurd

    1. Oninoshiko
      FAIL

      Re: Trucrypt != Guilt

      Truecrypt has a" Hidden Volume" function, but if you let others know you are using it, it defeats the advantage of that function. Under UK law (unlike US law) you can be compelled to provide a key. Failure to provide the key is crime in-and-of itself (punishable by two years in prison).

      So, using truecrypt is not a crime. Failure to provide the key is.

  16. Irongut

    using well-established nicknames that they'd also used as XBox gaming tags

    Hahahahahahaha!

    Muppets.

  17. Oninoshiko
    Thumb Up

    Police preform proper investigation shocker!

    Good police work catches criminals, requires no new laws!

    1. Ted Treen
      Unhappy

      Re: Police preform proper investigation shocker!

      I would agree totally, but I must add the rider that it's BAD work to publicise your methods and explain where the ungodly goofed, 'cos that means 2013's ungodly probably won't make the same slip...

  18. Anonymous Coward
    Linux

    What is this "open source intelligence..."

    ...of which you speak?

    Can I find it on my Ubuntu system?

    (It's 12.04 and I don't use Unity, if that helps.)

    1. Fatman

      Re: (It's 12.04 and I don't use Unity, if that helps.)

      Another one who ran away from that clusterfuck called Unity!!!

  19. mark l 2 Silver badge

    Good to see the METs e-crime unit had to employ a 3rd party contractor to do something as simple as monitor an IRC channel and then google the nics and see if they had been used elsewhere.

    Whats the bet the contractors charged thousands for doing this.

  20. Anonymous Coward
    Anonymous Coward

    Pics?

    Ok, great. They bagged some sad loser. I was lead to believe I'd be treated again to the picture of the lovely, anonymous young lady and her inspirational assets. Color me a disappointed old guy.

    1. Wombling_Free

      Re: Pics?

      Yes, she was lovely! Wonderful cook too if my memory serves me.

  21. RISC OS

    It's ironic...

    ... tha someone who works for the organisation Anonymous gets caught by being identified by his handle and social networking presence.

  22. Anonymous Coward
    Anonymous Coward

    Whom does the law serve?

    So, this Anon faces up to ten years in prison. A similar level of sentencing for sex crimes against children, violent assault, armed robbery, rape and manslaughter. Oh, and for large-scale fraud.

    PayPal, his alleged target, have dodged paying very large sums in taxes (millions of pounds sterling) and have had charges against them dropped in the UK.

    Whom does the law serve?

    1. Wombling_Free

      Re: Whom does the law serve?

      "This isn't a court of justice, son, this is a court of law"

      'Rotting on remand' - Billy Bragg

This topic is closed for new posts.

Other stories you might like