Archive for the ‘IRC’ Category

How-To Document Conspiracies and Other Crimes

Sunday, May 1st, 2016

I was reading the supplemental indictment of Lauri Love (New Jersey, Crim. No. 13-712, 03/23/15) when I stumbled on:

The text of the chats is reproduced in this Superseding Indictment as it appears in the chat logs; errors in spelling and punctuation have not been corrected. [Footnote 1, page 8]

It never occurred to me:

8. The manner and means by which defendant LOVE and others sought to accomplish the conspiracy included, among other things, the following:

j. It was further part of the conspiracy that defendant LOVE and other Co-Conspirators would communicate about their hacking activities in secure IRC channels. The Co-Conspirators would use more than one screen name (“nic” or “nicks”) and would often change names to further conceal their identities. For example, in an IRC communication on or about January 24, 2013, LOVE, using the online moniker “route,” discussed his efforts to conceal his identity and hacking activities, and to avoid detection: (emphasis added)

That’s the hack documentation solution isn’t it? Using “…secure IRC channels!”

In addition to using “…secure IRC channels” to engage in and further the conspiracy, those channels captured evidence of:

  1. Naming victims
  2. Discussing vulnerabilities of specific victims
  3. Discussing active hacks (tying dates to acts)
  4. Discussing results of hacks

I haven’t seen the full chat log (leakers anywhere with a full copy?) but a chat log with dates, victims, results, exploits used, etc. can document what would otherwise have to be inferred from forensics on the targeted systems.

There may be other logging IRC chat servers but I know that InspIRCd offers USERINPUT - USEROUTPUT, which use a lot of disk space.

IRC clients too offer the ability to capture logs of chats on any channel. Recording an IRC channel on Linux/Ubuntu Specifics vary from client to client so check your documentation.

Even if the neither the IRC server nor you are capturing a chat log, anyone else on the channel may be capturing the chat. If you forgot to capture, ask another member of the chat for their log.

The more detailed your chat, the easier it will be to match up your activities with such forensics as exist on the targeted systems and evidence on one or more of the computers used to carry out the hacks.

Saying IRC channels are “secure” is a mistake of fact. They are “secure” in the sense that if you don’t have a network connection, you can’t join the chat. See: How to Setup a Secure Private IRC Channel for more mis-use of the terms “secure,” “private.”

OnionIRC appeared long after the indictments of Lauri Love.

It isn’t possible to know if an OnionIRC server on the Dark Web is logging your IRC chats or not. For example, one docker container for running an IRC server as a Tor hidden service, explicitly calls out that logging is disabled by default but that can be changed.

If you want documentation of your conspiracy and other crimes while using IRC, if you use an OnionIRC server, on the Dark Web or not, be sure to capture your chat log.

Remember a detailed log for a secure IRC channel can be invaluable for documenting conspiracies, other crimes and matching up with other evidence.

Why would you want to document conspiracies and other crimes? Well, bragging rights in the prison yard, priority in terms of the first hack of X or use of Y for a hack, autobiography, CV in some cases. There are downsides to documenting conspiracies and other crimes but I am sure those will occur to you without any encouragement from me.

PS:

I’m assuming in this post you have accepted the risk of communicating with unknown others over IRC. Remembering the saying: “On the Internet, no one knows you are a dog (or police or “intelligence agency).”