There is a lot about this case that has not been said or should be clarified, but it would take more than a few messages to address them. However, I will address the two biggest misconceptions regarding my assistance to the FBI.

Kevin Poulsen at SecurityFocus did a great job with the material he had, and he actually checks his sources. (He was at my sentencing hearing as well!) However, there are a few misconceptions that are spreading due to a lack of information. For example, there is an unbelievable amount of factual errors in a Wired article.

I would just ask that if you do not know what you are talking about from first hand experience, please consider keeping it to yourself until you have the facts.

I absolutely did not turn anyone in or rat on anyone. I did not give the FBI any information about *people* that they did not already have or were already getting from other sources. I gave them a lot of *technical* information just like I would give technical info on whitehats.com, or in email to anyone who asks me for help.

3Com PBX hack:

All I did was sit in on a phone conversation that was *already* being recorded by both 3Com security personnel and the FBI. It was a voice-bridge type setup and I just chatted with some juvenile phreaks for awhile and asked who set up the conference. These were script kiddie level phone codez kids. None of them were over 18. Yes, I forwarded some IRC logs afterwards. But if you think the FBI does not already have access to all of this information, wake up! IRC is a fed?s dream: thousands of idiots bragging about their crimes in a public forum in text that is easily parsed and logged. I did not betray anyone here. What those kids did was already recorded by multiple authorities. To the best of my knowledge, they were not even charged. (By the way, take a guess as to whether the feds have a server on efnet.)

DefCon6

Yes the feds sent me to DC6 to harvest PGP keys, but I did not do any such thing! I did not ask anyone for a key and I certainly did not inform on anyone. DefCon was a blast. We just ran around Las Vegas, got invited to hotel parties, and generally had an excellent time. The ironic and best thing to come out of the DefCon trip was that I met Jennifer Granick who was speaking at the conference. You can hear the presentation she gave here: http://media.defcon.org:554/ramgen/defcon/dc-6/audio/granick-dc6-28k-isdn.rm

After I got back, the feds were growing more disappointed that none of my work had led to a bust. I had only helped the feds in the beginning because they fed me a story about how it was not like old times. Supposedly, feds do not care about exploration type hacking because they are just after "real" criminals (theft, damage, pedophiles, terrorism etc). But that is a total LIE. They just want arrests, and they will arrest their own mothers for jaywalking if it results in promotions and funding. Do not ever talk to, cooperate, or in any way trust the FBI. They are a wildfire *cough* waco *cough*. You can and will get burned. Even reporting an incident as a victim can make you a suspect (re: Study Shows: FBI Alienates Industry Security Experts, from blackhats.com)

Part of our argument at sentencing was that I helped the FBI. So, in our argument, this may have sounded like more than it was. It was not the results that mattered, but the fact that they obviously thought I was valuable and helping them or they would not have asked me to do each thing for them. Yes I helped them quite a bit with background technical information, but I did not burn anyone. In fact, I am getting punished more severely for this. The judge did not take my assistance into account at all, whereas he would have given a downward departure (equating to a lower sentence) if I would have burned someone. How sick is that? At my sentencing hearing, the prosecutor even hinted that they had considered obstruction of justice for not bringing down my friends. Absurd! What is this, 1984 with thought police? Why aren't these people doing their own jobs?

Interesting questions to ask about the case:

Why are hundreds, if not thousands, of servers compromised every day and yet only a trickle of people caught?

Why are far worse crimes that actually hurt people relatively unpunished?

Why is the government quick to prosecute intruders, yet still leave their servers *wide open* for any kid to get root?

Why are there mandatory minimum and sentencing guideline ranges for crimes against property/money?

Why do people get the same treatment (of varying length) for typing on a keyboard versus, for example, armed robbery?

If you think that you are helpful and good, stay as far away as you can from all feds. They do not understand you. You will end up getting burned. If you think that you are smarter than them, you are probably right. But they have many more resources than you do. They can always wait. They are waiting to profit from your misery.

This is the fed?s greatest tool: People believe that they are being protected when they are actually being exploited.

Do not let yourself become their next victim. Stay away from all feds and do not talk to any law enforcement without a lawyer. And for god?s sake, do not write and sign a confession if they tell you it will make things better. Believe me, it won?t! Honesty doesn't count :/

Watch for "Repelling the Wily Fed" coming to a security site near you.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/articles/203/5729#5729