LulzSec Hacker Exposed by the Service He Thought Would Hide Him didn't, gave details on hacker to investigators instead

This article is from the archive of our partner .

On Thursday, the FBI arrested two suspected hackers who allegedly participated in Anonymous and LulzSec attacks. One of them, Cody Kretsinger, faces 15 years in prison for allegedly helping break into the Sony Pictures website with an SQL injection and publishing user data. As we described on Thursday, the indictment against Kretsinger says he used what's called a proxy server to hide his identity while carrying out the attack. But on Friday it emerged that the site he allegedly used to disguise his identity cooperated with police working to track him down. That's got some in the online privacy community very nervous.

The federal indictment against Kretsinger charges that he used a proxy server site called to disguise his Internet protocol address. Very basically, a proxy server works as an intermediary stop for a signal between one computer and another. By transmitting data through the proxy, a hacker can hide his or her ISP from the target. But since the proxy server gets between the machines on either end of that exchange, it is in a position to know details about the hacker. And if somebody investigating a hacking job gets access to that server, it can reveal their identity. That's apparently what happened in the investigation into Kretsinger. The details of that search haven't been made public yet, but a post on Hidemyass's blog says the company cooperated with police investigating the LulzSec actions.

It first came to our attention when leaked IRC chat logs were released, in these logs participants discussed about various VPN services they use, and it became apparent that some members were using our service. No action was taken, after all there was no evidence to suggest wrongdoing and nothing to identify which accounts with us they were using. At a later date it came as no surprise to have received a court order asking for information relating to an account associated with some or all of the above cases. As stated in our terms of service and privacy policy our service is not to be used for illegal activity, and as a legitimate company we will cooperate with law enforcement if we receive a court order (equivalent of a subpoena in the US).

Normal businesses do indeed regularly obey court orders. But something doing business as might not be thought to be a normal business. The service claims that "the world-wide-web should be world-wide and not censored in anyway," after which it goes on to highlight its popularity among protesters in Egypt when the government blocked access to Twitter. As the group Privacy International noted on its blog, that sets them up as "supra-legal arbiters of morality" who can choose to cooperate with some government requests and not others. Sony and the federal government see LulzSec hackers as criminal miscreants, but LulzSec sees itself as a revolutionary group.

The notion that a proxy server could or would identify its users to investigators has privacy advocates crying foul. " is 'probably' run by the FBI. I know I would have put a number VPN and anonymizers out there hoping they would use them," wrote one (hopefully tongue-in-cheek) commenter on Ars Technica. Jason, who writes the blog Securityphile and doesn't publish his last name, tweeted, "hide my ass privacy service just became sell my ass to the feds." In the comments on the Privacy International blog post, PI technology adviser Eric King wrote: "There are many services who make far less grandiose claims about 'complete privacy' whose architecture inherently prevents them from being able to track or log users' activity. AirVPN and the Tor Project both offer similar services we'd happily recommend." AirVPN, for its part, issued a lengthy statement on Friday reassuring its customers of its own privacy safeguards and advising rattled users on how to take their own.

But for LulzSec members who have already used, the damage is done. Only one, named "neuron," mentions it in the leaked IRC logs, but since Kretsinger went by the handle "recursion" it's a safe assumption there's at least one other user out there who may be on the hook.

This article is from the archive of our partner The Wire.