Could Jeremy Hammond have avoided prison time?

Jeremy Hammond — by wikimedia.org

Latest Update: April 29, 2022

This article was initially published as a companion for a workshop, held at the Allied Media Conference (AMC2017). Part of that session have been talks about different cases of people, who were using advanced digital security tools such as Tor to hide their identity, but still got caught.

Who is Jeremy Hammond?

Jeremy Hammond was born 1985 and grew up in the Suburbs of Chicago, together with his twin brother. At the time of his arrest he identified as an anarchist-communist and many of his actions as a computer hacker were linked to his political beliefs. He started to become interested in computers and programming at an early age, won a science competition for a program he designed and first got in trouble for hacking a website of the University of Illinois at Chicago, where he studied back in 2004.

In 2003 Jeremy Hammond founded the security training website “HackThisSite” — a non-profit to teach hacking skills. After he was involved in a hack of the website of the pro-war group “Protest Warrior” in 2005, he was sentenced to 18 months in prison. As part of the Lulzsec hacking group he was later involved in different hacks, including a cyber attack on Stratfor, a private intelligence firm in December 2011.

Jeremy Hammond’s story got covered with much detail in some comprehensive articles as well as on freejeremy.net. The freejeremy.net website that was set up to support Jeremy while he was incarcerated appears to be offline since the end of January 2022. Some of the other sources linked in this article are also offline. Therefore I updated some links to the archived version from the wayback machine.

With this article I’d like to show some of the evidence collected against Jeremy and some options to avoid similar situations.

Lulzsec and “Operation Antisec”

screenshot from Geo Group Prison Industry hack by #antisec , February 2012 [1]

As part of a hacking group called Lulzsec known for their “Operation Antisec”, the hacktivist Jeremy Hammond aka sup_g gets arrested by the FBI in March 2012 in Chicago. It was alleged that he for years, successfully attacked security companies, law enforcement & military agencies and contractors — among others, across the U.S. and abroad. He was convicted and sentenced on his mother’s birthday, November 15th 2013, to 10 years in US federal prison under the Computer Fraud and Abuse Act (CFAA).

Jeremy was supposed to get free mid December 2019 — Thanks to “good time” he would have been credited with for completing the Residential Drug Treatment Program, at the medium security federal correctional institution (FCI) in Memphis, Tennessee. But instead was brought to the Alexandria Detention Center in Virginia in October 2019, to testify before a grand jury investigating WikiLeaks and its founder, Julian Assange.

He got released from his contempt for resisting that grand jury in March 2020 and since March 5th 2021 — after 9 years to the day — his sentence is over. He still faces a total of three years of supervised release.

What went wrong

The FBI tracked down sup_g with information he had shared over Internet Relay Chat (IRC) from different aliases. And by tying those aliases together, with the help of a hacker called “Sabu” — who was turned into an informant. Hammond gave away his identity by revealing information on his arrests and those of friends in the past as well as indications he had served time in a federal prison.

Hammond learns about Stratfor from Monsegur aka Sabu in a private message on December 5th 2011 [2]

Using federal criminal records and other data, FBI investigators were able to narrow the field of suspects rapidly and eventually locked in on Hammond. Read more on the Jeremy Hammond evidence here.

Hammond’s computer activity, Anarchaos online activity added by physical surveillance info [3]

What they found correlated with his Tor usage — which allowed him to hide his IP address — when using one of his casual alias was online and talking to Sabu. You can read more on examples of FBI evidence against Hammond in this article, but be aware of the bias voice that the article is written in.

What they could have done

using different aliases is like wearing different masks — photo by Finan Akbar

Using aliases, and first and foremost different aliases, is a smart thing to do to hide your real persona online. But as it’s still you who talks, there are a few things to always keep in mind:

• Don’t mention detailed information to others, which only the person behind the alias could have known.
• Avoid to link an alias to real life events or any personal references (experiences in your life, events near you or even the weather!).
• Your alias references to you as a person according certain routines like online time and sleeping hours, etc. (those work as “meta-data”)
• Have a story for every single one of your aliases, like a character in a narrative.
• Always get your story straight — Know the “history” of your alias and ideally have it confirmed by others.

When using an alias in the real world, obviously the same rules apply.

“be noisy”

Photo by Zach Vessels on Unsplash

To create noise in your network traffic is a fairly easy way to make it harder for others to profile you, based on your internet activity. A browser add-on like Adnauseam.io, which clicks on random ads, running makeinternetnoise.com or checking out this website is helpful with that. Opening up your network for a window of time so that there is no wifi password will bring in all random traffic as well.

This is a modest example of the larger theory of obfuscation, the idea that if you can’t disappear online you can hide yourself in a miasma of noise. It’s important to understand that this artificially created network traffic can be detected as non-human. Network noise alone does not grant you any security. While it might work well enough against Advertisers, it will not protect your anonymity from a spy or state agency.

• Create “noise” in your internet traffic to further protect your privacy and make it harder to get clues on your internet activity.

Use TOR the right way

picture by vpnoverview.com

Using Tor is already a pretty good precaution to use the internet anonymously. While using Tor itself sometimes can draw attention, it definitely does when your network traffic is monitored and Tor is only used during specific times or for specific needs. This might make sense in the first place, as some parts of the internet might not work probably due to the restrictions the browser uses to protect your identity. But it can be used against you, if an adversary does already surveil you.

• Use Tor all the time, not just for specific activities.
• Create random internet traffic when using Tor — ideally by running a script, especially when you’re not at home.
• Or Run a Tor relay on an additional machine in your network.

You could use a Firefox add-on to generate fake traffic as well, but keep in mind that this makes your browser far more unique and stand out. The Tor browser with its default settings makes every user look the same.

Jeremy Hammond’s computer during forensic recovery — picture from imgur

Never trust a VPN service provider

The IP-address of Jeremy’s computer was protected by a virtual private network (VPN). Unfortunately it was using the VPN “hide my ass” (now known as HMA), which got him into trouble. Or at least what helped law enforcement to track him down.

Generally speaking, using a VPN is a good way to add an additional layer of security. All traffic from your device to the internet is send encrypted to a VPN server first and then forwarded to the destination address. Your VPN provider gets your real IP-address, however your real IP-address is hidden to the destination address. This destination address can be the site or service you’re connecting to. Your first connection will always travel through your Internet Service Provider (ISP). By default the ISP will know that you’re using a VPN, because the VPN server’s IP address or hostname. Furthermore the destination address you’re connecting to might know this as well, as VPN Server addresses are publicly known. There are VPN detection services, like TEOH and IP Quality Score, that some site’s use to quietly track flag VPN traffic.

A VPN helps to prevent “Man-In-The-Middle” (or “On-Path”) and similar network attacks and helps circumvent censorship or geographical blocks on websites and content.

In Jeremy Hammond’s case, and actually other LulzSec members as well, the VPN company HideMyAss.com gave up Hammonds real IP address to investigators, which he connected to TOR. That helped to tie a connection between his online and physical address. This intelligence / law enforcement technique is also known as “pattern of life analysis”, as it looks at a person holistically.

• A company shouldn’t control your info in the first place. Don’t count on them, as you don’t know what the VPN vendor is actually doing and how they’re working. But it helps to look into their attitudes regarding privacy.
• Chose a provider with a zero-knowledge or no-log policy
• Often a company that spends a lot on marketing, spends little on engineering!

Wanna use a VPN “somewhat anonymously”?

• You need to choose one where you don’t have to add any personal info
• You need to have a way to pay them anonymous to avoid having you VPN account being linked back to you when some “follows the money”
• You might wanna use a trial version of a paid service, where you don’t have to put in payment data right away.
• Avoid using the VPN with a wifi (IP-address) linked to you!
• Avoid logging into any personal account!

I hope that already illustrates that it is actually really hard to be impractical to hide your online identity behind a VPN alone.

Once again: Use strong passwords. Always.

the login screen of Jeremy Hammond seized MacBook — post-arrest, Mar. 6, 2012: by @sabufiles

The password to Jeremy Hammonds account for his personal notebook was weak. Being “chewy123” his password was both short and likely predictable, as it was taken from the name of his cat.

While there is A LOT written all over the internet about what makes a strong password, it’s always worth remembering that we all have some passwords weaker than others. Especially when used several times daily, like the one unlocking your computer, it’s really easy to get sloppy. So just some few basics to remember here:

• Length beats most criteria! consider 18 characters the least
• Use computer generated passwords
• Use unique passwords
• Store & generate passwords with a password manager
• Use 2nd-Factor-Authentication / Multi-Factor-Authentication whenever possible!
• Avoid using biometrics as a password, e.g. face unlock or touch id.

this table from 03–2022 will be outdated soon, due to growing computing power | source

With those tips on advanced operational security might sound like a “yes” to the initial question from the headline. I personally doubt that those would help Jeremy to stay out of prison. If a highly skilled adversary — like the FBI — declared you “a state enemy” [4] and a comrade already turned on you as is the case with Sabu from lulzsec, you would need a very sophisticated escape plan to disappear. Still you would be hunted.

The main idea behind the series Beyond “Install Tor & Signal” is to share stories and key learnings from actual cases, Freedom of Information Act (FOIA) requests or unsealed public records as well as verified published accounts of how circumvention technologies can be defeated. The hope is to improve operational security (#opsec) and gleam sources, capabilities, methods of various security forces and law enforcement agencies.

[1] https://medium.com/quinn-norton/how-antisec-died-654abf6aeff7
[2] https://www.dailydot.com/debug/hammond-sabu-fbi-stratfor-hack/
[3] https://www.documentcloud.org/documents/1342115-timeline-correlation-jeremy-hammond-and-anarchaos.html
[4] https://www.rollingstone.com/culture/culture-news/the-rise-and-fall-of-jeremy-hammond-enemy-of-the-state-183599/