A 23-year-old Arizona man arrested on Thursday in connection with the hack of Sony Pictures Entertainment last May was a model student who saw himself one day defending networks at the Department of Defense and the National Security Agency.
Wired.com’s Threat Level, the Associated Press, and other news outlets are reporting that Tempe, Ariz. based Cody Andrew Kretsinger is believed to be a member of the LulzSec group, an offshoot of the griefer collective Anonymous. According to the indictment against Kretsinger, he was involved in executing and later promoting the high-profile and costly attack on Sony’s networks. Sony estimates that the breaches would cost it more than $170 million this year.
Kretsinger is a network security student at Tempe, Ariz. based University of Advancing Technology, according to Robert Wright, director of finance for UAT. A cached page from UAT’s Web site shows that Kretsinger was named student of the month earlier this year. That page, which indicates Kretsinger was to graduate from the institution in the Fall semester of 2011, includes an interview with the suspected LulzSec member. In it, Kretsinger says he would like to work at the DoD after graduating.
Where do you want to work after graduation?
“I hope that I’ll be able to work for the Department of Defense. From what I hear, they’re pretty good at what I want to do.“
Where do you see yourself in 5 years?
“Traveling, doing Network Security as a profession with the Department of Defense. While I wouldn’t mind being a penetration tester, I think it’s a lot more fun to try to build and secure a network and its devices from the ground up. I suppose I wouldn’t mind being in management, either.”
What’s the ultimate dream for your life?
“Good secure job, great family, maybe a ’64 GTO or something to that effect. I think a job with the NSA or Department of Defense is my ultimate dream.
I hope that I’ll be able to work for the Department of Defense. From what I hear, they’re pretty good at what I want to do.”
Kretsinger may have a difficult time finding work in the public sector. In June, LulzSec claimed responsibility for hacking into computers at the Arizona Department of Public Safety’s computers and releasing hundreds of law enforcement files. The hacking group also claimed to have breached the websites of the CIA and the U.S. Senate.
Read the rest of the interview at this link cached by Google. A copy of the interview is saved as an image file above.
Could be problem get a govt security clearance when you’re part of a cyber-terrorist group.
Funny thing though, there are plenty of govt “cyber-terrorists” with security clearances working for the Pentagon, the CIA, the FBI… etc.
It’s always OK when the govt does it.
I disagree with that. The FBI used Sammy the Bull Grivano to nab John Gotti. Thats just how it was to convict Gotti. The US needs the best they can get from a country like CHINA that hacks or tries to every ten minutes. If they have to get the shady ones to do it so be it. Dont think for a second that the US and goverments all around the world have been employing these people( France Employed all of Italy’s Cryptographers after WWII. US used Hitlers medical research on jews that were eventually published in medical journals- The clean as a whistle guy who doesn’t have much experience isnt going to help the US, If something better can be produced by recruiting such people. so be it
I could be wrong but, dont you think alot of these hackers just do it for the thrill? If that wasnt the case, then a whole lot of stuff would be out right now. I think your notion of why can the US do it but regular people cant is wrong. The answer is complicated. Americans expects the US government to protect. If the notion to hold reckless immoral governent leaders accountable by leaking stuff. That is a danger. The solution to insuring better leaders is to vote, protest, write your member of congress, inform more people and shed to light in a responsible way and so on. Thats the proper forum.
But transparency has no place in government? Really? You think the secret Federal Reserve has been handling this economy and ESPECIALLY the value of the currency well?
Let’s back up for a moment and think about what you are saying…
To be fair, on the Gotti front, you’re talking about turning someone and using them as an informant. There’s a huge difference between convincing a criminal to wear a wire and then testify against his associates, and being a sworn federal agent.
Additionally, the Paperclip is complicated, legally speaking. The short version is, the military forcibly abducted German and Japanese scientists after the war at gunpoint, set them up in the States after the war and profited from their use.
The legal complexity is, that before Nuremberg, there was no precedence for trying people for war crimes committed on their own population. Individuals decided that gaining a scientific advantage over the Soviet Union was more important than public satisfaction of seeing these people executed in the Nuremberg trials.
I really feel I need to stress this part again though, Paperclip was, primarily, a military operation. Which, in two words: changes everything.
Grivano was paid alot of money with a nice house in Arizona. No jail time
If they can do it with grivano they can do it with a cracker
Yeah, but they didn’t make a cop, nor did they give him a job, and he was able to bring practical information to their investigation.
This kid has no leverage, and no way to get himself a deal like that.
Gravano actually provides a great example (as do Max Butler and Justin Tanner Petersen) for NOT trusting former criminals.
Gravano moved to Tempe, Arizona, where he started running a drug operation selling ecstasy and being lord of a local coffee shop. He got busted and is now in a Supermax prison in Colorado.
Don’t be too quick to judge…the problem has been staring network security officials dead in the face for far too long now, I’m surprised it took this long and maybe we should all just consider this as his interview. We know the lad is talented and we must consider his point of view and what he meant to accomplish.
Do I agree or condone the potential damage these acts can cause? No, but I am saying its a problem that has been festering and now people are finally starting to pay attention…I mean they have created a boom in a field in a near-depressive economy, and when considered that way its an impressive job they did to stimulate the economy without taxpayer money.
There’s a fine line between salvation and drinking flavoraid in the jungle…
as a side note im sure he’ll do fine as a private consultant/speaker in the 150-250k/year range, after any criminal issues are worked out…
Yeah, it’s much like the Kevin Mitnick situation. He was a wanted criminal & punished for the hacking. But, then, the “reformed” Mitnick was able to get plenty of consulting gigs or whichever network security job he wanted. This guy may get the same treatment. The issue is a form of branding.
Anyone, from insurers to investors, asking about how the firm is protecting its assets can be told that a former LulzSec member is being paid well to provide “total protection of our networks and PC’s” or something like that. They will be reminded how “LulzSec beat everyone they came across & the members know info security better than anyone.” “The man has renounced his childish life of crime & is applying his skills well here at BlahBlahBlah Inc. to keep our assets and your data safe.”
It’s kind of a form of security theater. Companies like to do that. I put those “hacker-safe” web site emblems in the same category. Customers & investors trust it because they think the sites security was verified somehow, but it’s actually an illusion that saves the business the high cost of actual INFOSEC. Of course, anyone that hires Kretsinger will be providing both branding & strong real security due to his technical skill & passion for the subject area, much like Mitnick. So, the situation is actually good for the people who put faith in any subsequent marketing claims from the company post-hire. Security theater & marketing materials usually don’t reflect reality that much. 🙁
OK if there is a fine line, Then how to you propose the US government find the best and brightest to work for them on these issues. Im sorry thats ignorant. Most of these guy do make that much in consultancy only because they are in demand. If there wasnt they would have side jobs making happy meals. Which means there are a shortage of them in the US. I would rather them work for the US government where they are monitored more with US technology and on a shorter leash, than letting them roam the street as a consultant where there isnt one at all. Thats part of the idea of the Government. They would rather these hackers work for them and BENEFIT. Because there is a tremendous demand in this industry. Im sorry the Network security graduate at ITT TECH isnt cutting it
Sounds a little to “work camp” for my tastes
^supsect^suspect
0_O thanks
The guys an idiot, he may be intellectually capable of working for the DoD but he lacks the wisdom necessary to be trusted with the cash register at a McDonalds.
Must have thought he was hiding when he did the shadow work. Its hard to make the jump from amateur to pro.
People don’t realize that law enforcement professionals hunt down criminals for a living. Criminals don’t get as much practice or support as the pros.
That is an interesting point and the same was made by security guru Bruce Schneier. He was asked if he could have used his security skills and knowledge to be a successful criminal. Bruce pointed out that what makes many security guys into pro’s is learning from their many failures. Criminals usually can’t afford to fail in regard to their security or anonymity as failure = jailtime or worse. Hence, most smart guys attempting to become pro criminals will fail as amateurs because they didn’t have the experience they needed. On the other hand, many investigators & pro pen testers could probably become successful criminals because of what they’ve learned chasing them.
IF he is guilty, I suppose we know what he meant when he said he was working on some larger projects he couldn’t talk about. 😛
Even if he isn’t guilty, media stigma is going to screw him out of work anyway.
Whatever happened to “Innocent until proven guilty” or even using the keyword “allegedly”, is part of the perception problem.
While Sony can make all the claims of money losses they want, they should also recognize they were not diligently protecting customer’s data. And replying with changes in the TOS is symbolic of the corporate head in the sand Anonymous stands to deter
This is not a clear case of thief getting caught, it’s much more complicated.
And yes, this boy will get his Ferrari, if only for the movie rights of his story
“While Sony can make all the claims of money losses they want, they should also recognize they were not diligently protecting customer’s data.”
That’s like me saying I don’t owe you any damages for ramming my car into you at a pedestrian crossing because you should have been looking out for cars.
The facts would still be that I was meant to stop to let you cross and you could sue me for inflicting harm to your person.
Sony wasn’t storing any data in plain view, the alleged perpetrator here took active and deliberate steps to bypass their security regardless of how weak it was.
Just because I leave my back door open doesn’t give you the right to come in and vandalize my house. Leaving the door open may make me a fool, but going in a place you don’t belong makes you a criminal.
Yes, but if you are a bank and you leave your company books (full of customer info) inside the (unlocked) back door, then you ARE partly to blame.
That’s much closer to the case with Sony; the company is not a private individual who’s personal property was taken under, they are a corporate entirely entrusted with and profiting from user’s fiscal information, and they had known security flaws. The outcome was entirely predictable.
I agree that not taking proper security measures places some responsibility on the victim (e.g., Sony).
But it does not follow that this takes away any responsibility from the perpetrator for his own actions.
Hi,
He’ll have two options… Either, join the DOD, or do time…
You don’t think they’ll try to recruit him now? Heck yes — they will…
That’s the way governments work…
CrappyTires
With respect? Not likely. If he does see that offer, it’s much more likely to be an interview technique to get him to spill his guts. “We like what you did, tell us how you did it” type of thing.
Now, it’s true, the US has, in the past said, “we’ll wipe away your past, if you come work for us”, post WWII scientist cherry picking comes to mind as an example of this. But the fact of the matter is, when the government does that it’s because you (or whomever), has a unique (or at least a rare) skillset.
IT Security skills aren’t even slightly rare. And, because of the way the field works, it’s relatively easy to train people into it.
Put this in contrast to the scientists involved in Paperclip, who had highly sought after advanced educations in what was, at the time, cutting edge science.
If this was the way the world really worked, Kevin Mitnick would have vanished into some clandestine program, rather than getting arrested.
There are exceptions, but, honestly, with the media attention Kretsinger’s managed to attract, any recruitment window is long since closed.
Stark. You made my case. I dont disagree at all with what you said. The government still picks off any hacker they can. These people busted are going to be put to work. Thats what I meant by its rare field and theres a demand. People have stated hell get a nice speaking salary. Thats proably true. Its only because of the demand. UAT has a network security degree but its more geared toward hacking on top of the real hacking degree they offer. I wanted to go there but couldnt for money reasons. I think my point was misunderstood. IT jobs ARE flexable. But when you are part of a cracking ring- they dont call it hacking, the US wants and needs an army despirately. China has over a billion people. How many do you think work in their “IT” department? This kid along with the others will quietly walk based on that fact alone. This kid and the other knew that. He may be booked, but hell quietly be pulled. Its an unofficial US gov policy that isnt talked about that most hackers already know. All hackers busted, mandatory get jobs with for the FBI,CIA,DIA,DOD, and NSA. He is walking I guarentee
I still seriously doubt it. And here’s why. A felony conviction is enough to ensure you won’t be able to pass basic background checks in the private sector for, really any position above fry cook. A felony acquittal is probably enough to prevent any security clearance from being issued. And that’s assuming he can get an acquittal, in this case the deck is pretty heavily stacked against him.
There is no “smuggling him out the back of the courthouse” at this stage. Even if the DoD did want him, they don’t, and can’t, get him. He’s currently under the judiciary, and his chances of getting out of that without a criminal record are slim. Basically, in the American Justice System there is no, “we’re going to cherry pick this guy because he has the skills we need” option. It simply doesn’t exist outside of pop culture.
Again, basically, if you have a felony record in the US you cannot work for the government, law enforcement, own a firearm, or even vote. That’s simply the way it works, and no amount of “733t hacking skillz” will change that.
In fact, in the past, the CIA has complained over the years that they’re prohibited from putting people with criminal records on the payroll because it has hampered their ability to recruit assets. (Though, for the most part they’re talking about recruiting informants with foreign criminal records. Something with a much lower standard than case officers.)
The other problem is, at least from what we saw, Lulzsec wasn’t even particularly competent. The information I’ve come across regarding their attacks usually were some variant of undocumented (and unsecured) pages on sites, SQL injections, and really primitive social engineering. Aside from the social engineering this isn’t quality work, this is the IT equivalent of throwing a brick through a window. (I may be forgetting something, but, still, not high end infiltration work, and certainly not the caliber of work that groups like the DOD or NSA would be looking for.)
You are right the US (and for that matter, most of the world) needs to step up its IT security. But, the tradeoff is there are a lot of people out there who are more qualified than Kretsinger, lack criminal records, and actually applying for positions.
As an aside, the post war cherry picking, was done by the Military and the OSS, these were people who were never arrested, were never filtered through civil authorities, and weren’t under criminal investigations. They were offered the choice, “come work for us, or we shoot you in the head right here,” not “work for us, or go to prison.”
I could be wrong, and frequently have been in the past, but every military, law enforcement, and government security person I’ve ever met has been extremely cautious, security concious, and failure (not risk) averse . They just don’t strike me as the type that would recruit someone who has already been caught once using arguably weak techniques to cover his tracks. They don’t want a hotshot who could get caught and traced back to their agency.
I knew some of the students at UAT and still am good friends with some of the graduates. This university attracts kids from all over the US for it’s video game design degrees, but many have a hard time finding jobs in the gaming industry. Lots of students there spend time pentesting (read hacking) the PCs on campus using them for hacking and ultimately showing off. I wouldn’t doubt that other students know about this already.
Folks: HE’S BEING FACETIOUS!
He was an imbecile to trust HideMyAss to begin with, let alone register the account with his LulzSec handle.
An amateur, at best.
Work for DOD?? Only if it’s Free!! (prison labor)
Well, he’s saved the DOD the trouble of weeding him out (hopefully, if he wasn’t being facetious and if he is guilty as charged). If so, they ought to go to school on him and profile him (almost) to death for selection metrics.
On the bright side for him, he may have several years of govt funded room, board, and some minimal level of medical care, courtesy of DOJ.
“I suppose I wouldn’t mind being in management, either.”
pen-tester at DoD cuz they’re “pretty good at it” and management?
facetious.
You know it seems to me like a fishing expedition by the FBI. It seems to me that they are serving us with the same BS they show up with for the anthrax story. These guys have no fucking clue of who the LulzSec members were.
Kids need to understand that actions have repercussions. If he were under age 18, this may have been counted as youthful indiscretion. At 23, he should know better. He needs to be held accountable.
If found guilty, I hope he spends 10 yrs in a real jail and has to repay financial costs to the company.
SONY should have been spending $20M/yr on data security since 1995. In a large company like SONY, a $20+M annual project isn’t really that large. They’ve been lucky, that’s all.
Looking at this event differently, I would say:
* A good advertisement for the UAT university.
* 100% of the advertisement costs were paid by the subject student.
Check out Twitter posting for hide my ass .
http://twitter.com/#!/hidemyasscom/
I don’t know that knowing how to use HideMyAss.com qualifies you for a security job at the DoD. I wonder if he is really the one they are looking for, or a curious person just checking out someone else’s story about how easy it was to enter Sony’s database.
yeah and Grivano was a hit man . He murdered people Yes they gave him a Job outside the Government. I would rather give a hacker a job that can bring viable skills to the table, Then give a murderer a nice house alot of a a money. They didnt even need the guy in the first place to convict gotti
If that’s your choice, that’s fine, that’s your choice. But, in the realm of government, it’s never “your choice”, there’s always a bureaucracy to appease.
Grivano was able to work out a deal for himself. He had information the Feds felt they needed. They were able to make a case to the bureaucracy that the deal was worth the time and energy to make it happen. The deal was, money and go away, if you help us stop this.
In contrast, Kretsinger has nothing the Feds want. He might be able to provide information on Anonymous or Lulzsec that the Feds want. But, he’s not the only one with that knowledge.
Anonymous is not the Mafia, getting Anons to turn on each other is much easier for investigators (though, we haven’t seen any official acknowledgement of this). Kretsinger has no specialized training in this field, he isn’t the secret hacker leader of Lulzsec.
Again, he has literally nothing to offer in exchange for a deal, except turning on his fellows.
Now, he can probably get a plea agreement, reduced jail time in exchange for a guilty plea, but that’s about the best he’s going at the moment.
i wish i knew how he was nailed. it would be beneficial to many for the group to post their theories or suspicions on this…
A wild guess here, but we know the media was monitoring their IRC traffic (it’s reasonable to assume the Feds were as well, probably in more subtle ways), LOIC wasn’t secure and was broadcasting some information about who they were to the victims, and the Feds have been snapping up proxy servers and dissecting them. So, computer forensics, basically?
No one noticed the baseline issue here tho.
This kid is been claiming that the system / government is bad , to fight against them and now he is talking about working for them?
Somehow I have this weird suspicion that, he genuinely believed he would never be caught, so that when he was interviewing for that when he was interviewing for a government position, he could whip the cover off his masterpiece… believing it would land him the position, only to get arrested for it almost immediately afterwards.
Just mindless conjecture on my part, but it is amusing.
Anyway, in a more direct response to you, Victor, his actions strike me as more of an “I want to be someone special” than “down with the government”. Towards that end he was willing to undermine the government, and expose them, but there was no ideological conflict when he says he wanted to work for them, because that would make him “someone special” as well.
Actually, “important” may be a better word than “special”, given the connotations on the latter, but anyway.
Starke never said he didnt. The guy will definitely fry in prison I was trying to put it into broader context. Aparrently you believe everything the government(CIA) says. Thats a greater threat that this guy I think. You think with all the Documented Black ops projects inside the United States that the US government wont get dirty. I direct your attention to Operation Moongoose. Didnt carry out but gies you clear thinking of what the US government thought then and and what they are willing to today. If they can think that. They will make it a reality. A well known photojournalist used sophiticated technology to pierce Area 51. He caught two guys dragging a beat up person. This was ran both on Yahoo and google. His picture went gone from his website three days later. If I can find the picture Ill post it. Again if the US can dream they can make it a reality regardless of US law. There action then and now today prove it. Dont believe everything they say for once and look through the lenses of another side. Ive considered yours and when you brought up how the “CIA claims they are having hard times finding talent” that blew credibility right there to your argument
Look sorry for my aggressive stance. Im no American flag burner hater. Im sorry for the stance taken Starke. Americas founding fathers back me up when I say “dont believe everything the government says. It unfortunate nobdy looks at history as a guide to the present. History truly repeats itself. What happened to Rome is going to happen to us. Im sorry its just history. People can feell differently about the US government than I, but one of the reasons why there is so much red tape, so much of a mess security wise, is not the honest people in the US government its the Dishonest who are ruining things. The only way to vet those people out is to question the government on their claims. Dont take every word. My grandfather served in WWII korean and vietnam(Gulf of tonken) and new they lied. Real security is questiong the government vetting out the garbage by debating and instituting sound policies. We cant do that when both sides have their heads in the sand. I admit I dont know everything. I think some neccessary evils are needed to better secure. Unfortunately recruiting these guys are the REAL answer to dealing with CHINA Iran and so on. This kid is going to fry but I guarentee you some of his friends wont. That it just me. People can disagree, fine. But dont stick your head in the sand and believe them on everything. Question them by informing yourself through different sources other than them. US has abused the law recently with the patriot act. Right Left Middle Media all reported that lately. These people are not in it for the money. They are in it either for kicks, ideology, or economic intrest with companies. You want stuff like this to stop??? How about prosecuting the Corporations that employ them. Thats money right there. That would put a huge dent into the problem. Cant happen. The dishonest in this fed government are preventing for grand delusional reasons, that it will hurt its relations with the companies that employ these punks- Im sorry start there
The irony is, I agree with you on a lot of points, at least in over arching politics. And I do worry about our political sustainability.
And, you’re also correct, America does have a long history of valuing conviction over ethics, and a lot of the 20th century is filled with fun/disturbing little Operations like Mongoose, 40, and Northwoods. Do things like that still happen? Yes, to some extent. But, to dwell to heavily on black ops in a context like this, while entertaining, isn’t terribly productive, no offense.
The fact of the matter is, a lot of Anons genuinely believe, (or at least used to) that should they be caught, their future would be in a well paid government position.
While I shouldn’t guess wildly as to why that is, in their case it really seems to be because of popular media telling them this is how it’s done, and not because of actual covert recruitment tactics.
As for Anons getting positions in corporations? Actually, I kind of suspect that won’t actually be happening. Remember, Anonymous and Lulzsec’s major targets have all been corporations, the very people you worry about influencing government policy. To say it would then make sense that they would turn around and hire the people who avidly worked to destroy them, rather than simply blacklist them, especially given their limited skillsets, and (probable) criminal records seems… well, unlikely.
I mean, the HB Gary and Bank of America attacks alone are probably enough to ensure that.
I do apologize, however, I thought you were simply in the Anon camp, basing your opinions off pop culture’s “we need your hacking skills” without any regard for how government selection processes actually work.
Not much to debate here really. The kid is no different from the criminals they catch and then find that the suspects also aspired to become police officers. That story repeats all the time in the news. There’s a total disconnect with these psychopaths from their behavior and their long term goals. They see nothing wrong with it and that’s a huge problem. It means they cannot discern right from wrong. It’s just hilarious he’s out committing felonies left and right (presuming he’s guilty, which could be totally wrong) while at the same time aspiring to be the guy who stops others from doing the same thing. That’s pretty psychotic. This is the kind of person who one minute could be working for the US Gov’t and the next decide the pay is better or it’s “more fun” working for US opponents. In some ways, this is a product of the environment which today has companies not valuing loyalty and society telegraphing the message “I’ve got mine, you get yours” and “every man/woman for him/herself.” Not surprising I suppose that ethics really mean nothing and morality is a laughable, quaint concept.
Off topic: The US government has issued a Request For Information on malware and bots, see:
http://www.federalregister.gov/articles/2011/09/21/2011-24180/models-to-advance-voluntary-corporate-notification-to-consumers-regarding-the-illicit-use-of
The comment period ends 2011-11-04.
A copy of my response is on my site, at:
http://www.ciphersbyritter.com/COMPSEC/ADVISING.HTM