On Thursday, the FBI arrested two suspected hackers who allegedly participated in Anonymous and LulzSec attacks. One of them, Cody Kretsinger, faces 15 years in prison for allegedly helping break into the Sony Pictures website with an SQL injection and publishing user data. As we described on Thursday, the indictment against Kretsinger says he used what's called a proxy server to hide his identity while carrying out the attack. But on Friday it emerged that the site he allegedly used to disguise his identity cooperated with police working to track him down. That's got some in the online privacy community very nervous.
The federal indictment against Kretsinger charges that he used a proxy server site called Hidemyass.com to disguise his Internet protocol address. Very basically, a proxy server works as an intermediary stop for a signal between one computer and another. By transmitting data through the proxy, a hacker can hide his or her ISP from the target. But since the proxy server gets between the machines on either end of that exchange, it is in a position to know details about the hacker. And if somebody investigating a hacking job gets access to that server, it can reveal their identity. That's apparently what happened in the investigation into Kretsinger. The details of that search haven't been made public yet, but a post on Hidemyass's blog says the company cooperated with police investigating the LulzSec actions.
Normal businesses do indeed regularly obey court orders. But something doing business as Hidemyass.com might not be thought to be a normal business. The service claims that "the world-wide-web should be world-wide and not censored in anyway," after which it goes on to highlight its popularity among protesters in Egypt when the government blocked access to Twitter. As the group Privacy International noted on its blog, that sets them up as "supra-legal arbiters of morality" who can choose to cooperate with some government requests and not others. Sony and the federal government see LulzSec hackers as criminal miscreants, but LulzSec sees itself as a revolutionary group.
The notion that a proxy server could or would identify its users to investigators has privacy advocates crying foul. "HideMyAss.com is 'probably' run by the FBI. I know I would have put a number VPN and anonymizers out there hoping they would use them," wrote one (hopefully tongue-in-cheek) commenter on Ars Technica. Jason, who writes the blog Securityphile and doesn't publish his last name, tweeted, "hide my ass privacy service just became sell my ass to the feds." In the comments on the Privacy International blog post, PI technology adviser Eric King wrote: "There are many services who make far less grandiose claims about 'complete privacy' whose architecture inherently prevents them from being able to track or log users' activity. AirVPN and the Tor Project both offer similar services we'd happily recommend." AirVPN, for its part, issued a lengthy statement on Friday reassuring its customers of its own privacy safeguards and advising rattled users on how to take their own.
But for LulzSec members who have already used Hidemyass.com, the damage is done. Only one, named "neuron," mentions it in the leaked IRC logs, but since Kretsinger went by the handle "recursion" it's a safe assumption there's at least one other user out there who may be on the hook.