Police swoop on 'Hacker of the Year'

AcidAUS writes "The Swedish hacker, Dan Egerstad, who perpetrated the so-called hack of the year, has been arrested in a dramatic raid on his apartment, during which he was taken in for questioning and several of his computers confiscated. Egerstad broke into the global communications network used by embassies around the world in August and gained access to 1000 sensitive email accounts."

"Broke in?"

I thought he just listened in on Tor traffic.

Re:"Broke in?"

He did, and that's what's so stupid about this police-raid.

Re:"Broke in?"

There's a guy down the street from where I work that had a bullhorn talking about the end of the world. I completely hacked into his message this morning.

Well, that's what you get

90% of what makes a really good hack hard is STFU'ing about it.

Re:Well, that's what you get

That is the point authohorities all over the world seem to be making... Do not report Security flaws.

If you notice a security flaw and are quiet about it nothing happens.

If you notice a securoty flaw and report it you get charged for hacking.

Guess what happens in future...

Re:Well, that's what you get

There was an article a while back on slashdot, that mentioned about this guy who found a way to duplicate boarding passes for an airline... before he published the information to the internet, he contacted his congressman, which did nothing about it.. but then published how to do it, and the template to the internet. He was then considered a "terrorist" and I have heard nothing more about him.

Re:Well, that's what you get

No, but of people with a one track mind. He who knows how to break the law breaks the law, since if he didn't mean to break the law, he wouldn't know how to do it. He who finds a security hole must have been looking for a security hole, and the only reason to look for a security hole is to use it.

Another train of thought follows the logic that what is forbidden does not exist. And if it exists, simply crack down with utmost force on it, and it ceases to exist.

The core fallacy about it is that this doesn't mean crimes don't happen, it just means you won't hear about them. Which is, for the statistic, identical. It's a bit like closing your eyes and pretending that since you can't see the problem it doesn't exist.

Re:Well, that's what you get

No more than anybody else's... listen, the guy just exposed a major security flaw that has an impact on diplomatic communications all over the world. On the one hand, the guy's doing a job no one else thought to do, and to let governments know that their secrets are easily tapped. Governments should be funding his work, to see if he can come up with a solution to the problem. But being governments, they're a bit paranoid (even the Swedes) and heavy-handed. This guys knows about a security vulnerability -- what else does he know? So they drag him in and give him the "treatment".

Re:Well, that's what you get

You can't really blame the governments for their response. Most agencies are only authorized to punish citizens, not ask them for help.

Remember the Air Force Axiom; when the only tool you have is a multi-warhead thermo-nuclear ICBM, all your problems look like the Soviets invading West Germany.

Re:Well, that's what you get

A bit too paranoid. He was told to shut up about it, but nothing happened to him. It was a journalist who'd found out that if you made two boarding passes at home, one in his own name (not conspicuous) and one in the name of Osama Bin Laden, and you switched bottom barcodes on them, you could get Osama on the plane. Or something. Apparently, the two barcodes are read at different stations, and only the first one checks for identity (but not the no fly list), and the second one checks for the no fly list (but not the identity). Or something.

Re:Well, that's what you get

And what did we learn today? Don't report a security hole, sell it to Russia.

Re:Well, that's what you get

I think the "sellout" part of those hackers is actually the part that grew up and realized (real - as mentioned above)hacking is not a way to support a family - and it will always be a hobby. As it should be, no?

Good.

Break the law, go to jail. You don't have to like the laws, but breaking them ain't going to do you a bit of good. And then to go as far as start messing with the cops? Good going there Dan! Enjoy your time in prison!

Re:Good.

And my faith in humanity drops to yet another record low.

I'm getting sick of a society that has ZERO room for exceptions. Make exceptions for the exceptional... that is why they are exceptional.

Although listening to TOR traffic is hardly exceptional, but the point he proved without malicious intent was.

Re:Good.

"Egerstad published 100 of the email accounts, including login details and passwords, on his website for anyone curious enough to have a look"
Publishing login credentials of 100 accounts isn't what I'd call without malicious intent. Okay, he was trying to force them to react, but there are better ways of doing it.

Your good natured intent is clouding your thinking

Diplomats are often dealing with people seeking asylum for humanitarian reasons. They also deal with local and international law enforcement and sometimes the military. In any one of those cases leaked information could have gotten someone killed. This guy didn't expose the logins and passwords of MySpace accounts. Then there's the consideration that he very well may have violated several privacy/confidentiality laws as well.

I don't think you realize just how serious what this guy did is.

Re:Good.

A law is not to be observed blindly. A law is to be questioned to test it against real life requirements. If people would not question laws, people would still be enslaved because of the color of their skin and the US would still be a colony of Britain.

Re:Good.

I won't delineate all the reasons why what you said is a stupid troll.

But here's a few gems for you.

1) He became a tor node.
2) All the data he examined was on his own computers.
3) Everything on the computers belonged to him.
4) As a responsible tor node person, he examined the contents of it.
5) Refer to number 3. Also in the US, he could be found responsible for
      people using his tor node to traffic in say copyrighted works or child
      abuse. So he would really pretty much HAVE to inspect the contrents of
      his traffic to make sure that no illegal activity was taking place.
6) What law is it you think he broke?

It was just tor eavesdropping!

All he did was run a tor exit node, and observe the outgoing traffic, a known possibility when using tor. Not only is there the disclaimer "This is experimental software. Do not rely on it for strong anonymity" evertime you run tor, but this vector of potential attack is so bloody obvious that anyone not aware of would be a bloody idiot not to use additional encryption for accessing sensitive information on the other end, and rely on tor only for obfuscation of the fact that the route originates from them.

Re:It was just tor eavesdropping!

All he did was run a tor exit node, and observe the outgoing traffic...

And that could very likely be construed as eavesdropping on electronic communications. The Swedish penal code, 4th chapter, 8th paragraph, says:

8 Den som olovligen bereder sig tillgång till ett meddelande, som ett post- eller telebefordringsföretag förmedlar som postförsändelse eller telemeddelande, döms för brytande av post- eller telehemlighet till böter eller fängelse i högst två år.

Which translates to approximatly:

The person who gains access to a message, that a postal or telecommunications company transmits, as a postal or telecommuncations message, is to be sentened for exposure of postal or telecommuncations secret to fines or a maximum of two years prison.

Swedish laws are a bit laconic so that's the full text. I'm not really surprised that the police decide to start an investigation since what he did could be legal - it's not a clear cut case. Obviously the message were not ment for him and he didn't come by them by accident. Word to the wise: better read up on the laws where are if you're going to pull something like this. If it's in the gray area be prepared to investigated.

Wouldn't this technically be a cracker?

I mean, I'm not up on all that. But for a little while the effort was made to distinguish them. Has that effort been abandoned by white-hats?

What happend?

What happend to word "Cracker" and "Hacker"? Is he now a Hacker or Cracker? Few days ago was again news that how one hacker found thousands of servers without updates and firewall and he was hacker because he is security advisor and works for one company. So why this man is called as hacker too if he stoled information?

I don't know why is he surprised

He fucked the police states, so the police bit back.
He is lucky not to be in russia or china or cold war US so he got no bullet in his head.

Hackers, gang crime and bare breasts

Meanwhile, Swedish police stands by watching an outbreak of gang shootings in the city of Gothenburg, in which even police stations and police helicopter hangars have been destroyed by drive by shootings. The chief of police is quoted as saying "We know who they are but we can't arrest them because we have no proof".

Isn't it amazing that it's easier in Sweden to raid and arrest a white collar hacker than a hard-core gang of criminals with machine guns?

In other news, Swedish feminists were heard crying out for the right to display their breasts in public - "we too [want to] pull off our shirts at football matches". [thelocal.se]

God, what a country.

Access credentials were sent through his node!

broke into the global communications network used by embassies around the world in August and gained access to 1000 sensitive email accounts

He acquired access credentials to 1000 email accounts used by embassies. He did so by becoming an exit node of the TOR anonymizing network and reading the unencrypted exit traffic. That may have been in violation of the law, but does not constitute "breaking into the global communications network used by embassies".

What a moron!

Look, I don't know if the guy actually broke any laws. It sounds like he might have, but maybe not. On the other hand, intentionally trying to fuck with the police after they arrested him is plain stupid. It doesn't buy you anything except bad will. It's not like the people interrogating him are the ones that made the decision to arrest him. You get pulled in by the police, if you're really not guilty, the only smart thing to do is cooperate. Creating that kind of bad will and then complaining that you might not get your computer equipment back for years, well what do you expect? Shit on people and expect them to shit on you back.

"Broke into"

Dan didn't break into anything. He simply set up a Tor node and watches the traffic passing. Most likely the passwords he sniffed out were not used by Embassy officials but by criminal elements who were using Tor to avoid being caught when using stolen credentials.

Also, he notified the involved embassies weeks before publishing the material.

I not saying it was a stupid move (I think it was) but the summary makes him look like a criminal which he is most certainly not. The Swedish police does not understand IT and obviously does whatever foreign countries tell them to do since our political leaders lacks spines.

Just what is he?

From the article, paragraph 1:

The Swedish hacker who perpetrated the so-called hack of the year...

From the article, paragraph 2:

Dan Egerstad, a security consultant, intercepted data carried over a global communications network...

Emphasis mine. So what is he? If he's a hacker, the raid is just desserts. If he's a security consultant, and he's exposed this flaw, he's being persecuted. Frankly, I don't know what he really is, but it seems like the press is schizophrenic on this issue. It just goes to show that when it comes to technology, the mainstream press is a bit low on clarity and high on sensationalism.

Re:Just what is he?

Emphasis mine. So what is he? If he's a hacker, the raid is just desserts. If he's a security consultant, and he's exposed this flaw, he's being persecuted. Frankly, I don't know what he really is, but it seems like the press is schizophrenic on this issue. It just goes to show that when it comes to technology, the mainstream press is a bit low on clarity and high on sensationalism.

If a locksmith breaks into your home by picking your locks, he is still a burglar.

Dramatic Raid indeed

I live a few hundred meters from his home, and was woken up that day, not by my useless alarm clock, but by sirens from 7 or 8 police cars heading in the direction of his apartment. From the TFA it seems like the were a bit more discreet when moving in on him, so I guess this was some kind of show of force to intimidate him, and his neighbours. Wouldn't surprise me, considering how the TPB-raid was done.

so... the criminal cops in sweden want to hack too

looks like those illegally acting cops just wanted a cheap way of getting their sweaty hands on Egerstad's code. It would be so cool to be able to spy on all those foreign guys, eh?

Zero Cool would understand.

HACK THE PLANET!!!

Yes, I still love that movie.
Yes, I know it was horrible.

A dramatic raid...

[knock at the door]

Police: Open this door! Thou art a felon wanted for many counts of villainy against the citizenry of this fair nation!

Dan: How now!? Am I to be jailed? What can I do but beg for the mercy of The Crown?!?!

[Dan weeps loudly]
[Viola music plays a sad song in the background]
[Dan slumps over a b0x3n]

Dan: I am ruined. Farewell, my tools of crime, for you are sure to meet a worse fate than I in our common traitorous endeavors.

[The door breaks in, an officer enters the room and grabs Dan by the shoulder with nightstick in hand]
[Fades to black]

Oh, you mean a different kind of dramatic. Sorry, sorry.

Government raids

People are always looking to the government to protect them. Who protects you from the government? My biggest fear in my home isn't some criminal breaking in, it's a stupid government raid that possibly gets me or one of my family members killed, or all the programs I've written in my entire life being confiscated. Perhaps some would say I shouldn't be afraid because I'm not hacking or doing anything (that I know of) that's illegal, but I am a programmer, so nevertheless it hangs over my head. I hate those who favor strong and intrusive government and want to "send a message"; it is you who should die, all of you! I won't miss you.

"The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized."o7

The solution is simple

These kind of Hacks should still be committed to show security flaws or simply when people implement things incorrectly which leads to a flaw in the security. The thing is when the evidence is collected that a security hole exists the Black Hat should anonymously submit that evidence to thousands of websites simultaneously. And they should use Tor. Ya it doesn't prevent traffic from being intercepted but they still can't figure out where it came from. That way the government doesn't have anywhere to direct their misguided raids. In addition the security hole will hopefully be fixed.

Bush Reaction

He has a definite link to the Islamic fundamentalist groups operating in Iran who were responsible for various US embassy bombings. We need to defend our way of life and of our childrens with all the peoples of the world. Some of the accounts have information containing Weapons of Mass Destruction which Iran as been acquiring which will lead to a third world war. The Swedish security service is our ally towards counter terrorism and we hope they will join the alliance for our War on Terror.

DOH!

When will people ever learn that IF/When you do a legit hack, you DO NOT talk about it! If you do it for a company (ASK FIRST) (So you dont get sued) and NEVER do government and or police systems.. unless your using tor. errmm nvm xD

"Cracker" ... "Crack-of-year" ... etc

Semantics for some, a way of life for others!

Security Flaws

Leaving your key in the door doesn't make it right for the next person who finds them to just walk into your house. Was it dumb to leave the keys in the door? Undoubtedly. Was it wrong for the intruder to enter unlawfully anyway? Yes. The problem here is that the guy "opened the door" looked around and listened and then went and told people about how the door was unlocked and they could just open it and listen in. Sounds like the problem here isn't that he shouldn't have done it, but more that he shouldn't have opened his mouth about it. PS - Hacking MySpace should be no less of a crime than hacking the embassy. If its ok to exploit MySpace by not the government then we have created a huge double standard and rift in the justice system. Typically, I'd say that knowing how to do something doesn't mean that you should do it, but then again the Hacker's Manifesto does state that it should be hacked simply because its there.

This was NOT a hack.

This guy is a very good security consultant that has been around for a while. This is not the first leak he has discovered and tried to warn people, Dan discovered that his home DSL was going slow and started sniffing out the traffic from his ISP. He quickly discovered that the ISP sent him traffic from about 4000 other customers on 16 different subnets! He could see everything on the network. This very time he had setup a tor link and started sniffing out the traffic, just as NSA does in the US on their large tor links. What he found was countless passwords and other sensitive stuff floating around. He found large amounts of usernames and password floating by all the time. No doubt this was from a hacker/foreign security intelligence that used tor for anynomity. The fact that most passwords was from governments like Iran, Russia and other countries not in the US "group" suggests this was US spying in progress. The fact that Swedish "Säpo" (intelligence is not the right word for theese people) was pressured into action against something thats not a crime at all in sweden also makes one wonders what is going on. It seems people are dissatisfied that this leak was made public. I doubt the people being hacked was miffed at Dan for showing them that someone was spying on them. Now that they know and secure their communications, maybe with stringent encryption and backdoor free open source, i do now one country that will be angry.

It is correct ....

It is politically correct to not cause a problem, ignorance is bliss.

It is criminal/troublesome to report problems, but ignorance is bliss and politically correct.

No faults/problems found/reported in a politically correct blissful world means there is not a problem.

A world without problems is proof of safety/security and politically marketable to public bliss.

When a bridge collapses, a city gets drowned, large buildings collapse ... is it due to bliss or problems?

Send all problem reporters to jail, then we know that bliss is the cause of all catastrophes, because there ain't no GDMF problems.

Surprise catastrophes (due to bliss) are forgivable, spin-truth political capital for USAll.

-stad

Is this some sort of a bad joke?

4chan

These are the email accounts that were posted on 4chan? By the way, why do embassies use Tor?

Re:What's Swedish for 'hypocrite'?

He hacked NOTHING. He sat on a tor exit node with dsniff. You can do that setup in minutes (I used to run driftnet-gtk on my tor exit node for kicks). He noticed a large amount of dumbasses using email with no encryption, and wanted it to stop ASAP, so he released the info.

Re:What's Swedish for 'hypocrite'?

Personally, Egerstad sounds like the kind of a sanctimonious dick that SHOULD get the beatdown. They should give him "every known signal" that the police don't like it when when someone is lying to them...tasers, nightstick, whatever.

Personally, you sound like the kind of guy the police should protect us from. Too bad that they don't seem to get people with better morals for their own ranks.