Suspected LulzSec hacker arrested for attack on Sony

By Lee Kaelin on September 23, 2011, 12:30 PM

The FBI arrested a suspected member of the hacking group LulzSec yesterday for allegedly taking part in an extensive security breach involving Sony Pictures Entertainment. The hacker, 23-year-old Cody Kretsinger, is charged with conspiracy and the unauthorized impairment of a protected computer in connection with the attacks on the film studio in May and June.

The nine-page indictment, unsealed yesterday, accuses Kretsinger and other conspirators of obtaining confidential information from Sony computers using a SQL injection attack against its website. It is common for hackers to use this type of attack to gain access to servers and steal information by exploiting vulnerabilities in its defences.

The indictment further accuses Kretsinger, also known online as "recursion", of helping post information the group stole from Sony on LulzSec's website and of announcing the intrusion on the hacking group's Twitter account. He also stands accused of erasing his hard drives after the attack, in a bid to evade law-enforcement.

At the time of the attacks, LulzSec published the names, date of births, addresses, emails and phone numbers of thousands of people who had entered competitions run by the Sony corporation.

"From a single injection we accessed EVERYTHING," they said in a statement at the time. "Why do you put such faith in a company that allows itself to become open to these simple attacks."

If convicted, the hacker faces a maximum sentence of 15 years in prison. The government is currently requesting that he's moved to Los Angeles, the location of the hacked Sony computers and where the case against him was filed. The FBI is still investigating the extent of the damages caused by the attack and Sony has yet to comment on the arrests.




User Comments: 17

Got something to say? Post a comment
gwailo247, TechSpot Chancellor, said:

Oh the irony....

To paraphrase:

"From a single warrant we accessed EVERYTHING," the FBI said in a statement at the time. "Why do you put such faith in a company that allows itself to become open to these simple court orders."

Guest said:

The long arms of the law always win. :) hooray for justice.

Guest said:

I'd only call it justice if he gets an appropriate sentence.

Keep things in perspective, this isn't aggravated assault or aggravated battery, both of which have an average prison term of only 3.7 years.

It's not like he killed or injured anyone, so give him a $10k fine or a few months in prison.

Guest said:

Justice my ***...

Leeky Leeky said:

It's not like he killed or injured anyone, so give him a $10k fine or a few months in prison.

Given the increase in recent times of hackers compromising corporations, and publicly sharing the spoils I very much doubt you'll be seeing light prison terms.

Its likely the Justice Departments, courts and Judges will all want to impose heavy sentences as a warning to those hackers that do continue to break the law. But when it comes to justice, the outcome is usually surprising so its entirely possible.

gwailo247, TechSpot Chancellor, said:

Guest said:

It's not like he killed or injured anyone, so give him a $10k fine or a few months in prison.

He participated in disrupting the lives of thousands of people. I've had friends who had to change all their contact info, credit cards, etc, because of this crap.

No, he and all his little buddies should get nice long sentences of jail time, and even if they're not getting pounded in the ass daily, the threat of it, or getting beaten up, or having all your stuff taken away from you, will make them reconsider the value of LULZ.

People like you are exactly the problem. Nothing happened to you, so you don't care, you think its funny. Perhaps you're 12 and having your identity stolen is not a big deal to you, but for people, adults, to whom it has happened, have had their lives disrupted for years while they try to restore their good name and credit.

Sentences need to be much harsher, so that hackers don't think that the worst thing that will happen to them if they end up getting caught is becoming an editor at Wired.

Burty117 Burty117, TechSpot Chancellor, said:

To be honest I bet half the things he's being sentence for he didn't participate in, hell I bet he only read the twitter page and torrented the database because he clicked the link from his favourite news site, but still, I would have hated getting my identity stolen, I guess someone has to be made an example of, although I feel Sony should have been in court over this more, they held our details in plain text for christ sake!

To be honest, I'm still on the fence about all this hacking business

slamscaper slamscaper said:

Well, I always said this would happen sooner or later. It's funny how Lulzsec tried to portray the FBI as being ignorant and idiotic, yet this guy was still caught despite the fact that he nuked his hard drives to cover everything up.

No matter how good these hacker groups think they are, there's always someone better working for the other side. The FBI knows every cyber trick in the book and they'll play dirty if they have to. If they stay on the case long enough, they catch everyone eventually.

PanicX PanicX, TechSpot Ambassador, said:

gwailo247 said:

Guest said:

It's not like he killed or injured anyone, so give him a $10k fine or a few months in prison.

He participated in disrupting the lives of thousands of people. I've had friends who had to change all their contact info, credit cards, etc, because of this crap.

No, he and all his little buddies should get nice long sentences of jail time, and even if they're not getting pounded in the ass daily, the threat of it, or getting beaten up, or having all your stuff taken away from you, will make them reconsider the value of LULZ.

People like you are exactly the problem. Nothing happened to you, so you don't care, you think its funny. Perhaps you're 12 and having your identity stolen is not a big deal to you, but for people, adults, to whom it has happened, have had their lives disrupted for years while they try to restore their good name and credit.

Sentences need to be much harsher, so that hackers don't think that the worst thing that will happen to them if they end up getting caught is becoming an editor at Wired.

I completely disagree. It's knee jerk reactions like yours that are the biggest threat to society today. I believe the Guest is correct in his statement. Violent criminals are often given less that 5 years for robbery, battery, rape and assault. Perhaps you've never been a victim of these crimes, so you don't care, you think its funny. But the fact is that the harm from inconveniencing people is not even comparable to the harm of violent crime and yet we don't punish these crimes accordingly.

captaincranky captaincranky, TechSpot Addict, said:

I completely disagree. It's knee jerk reactions like yours that are the biggest threat to society today. I believe the Guest is correct in his statement. Violent criminals are often given less that 5 years for robbery, battery, rape and assault. Perhaps you've never been a victim of these crimes, so you don't care, you think its funny. But the fact is that the harm from inconveniencing people is not even comparable to the harm of violent crime and yet we don't punish these crimes accordingly.
And I completely disagree with you.

The disparity of sentencing is mostly one of jurisdiction. Murder, and other violent crime only rises to the federal level when crossing a state line or if the death / injury of a federal agent is involved. In which the penalties are doubled!

Local jurisdictions don't have the resources to carry sentences to term, and as a consequence the last felon is kicked out of jail to make room for the next.

The fed has the facilities to keep you as long as they deem appropriate, there's no parole, and you serve a minimum of 85% of your sentence. To the upside, I hear that federal prisons are much nicer than the average county jail...., by a long shot. Hence the commonly held, "Club Fed" assessment. Pack your tennis racquet though, you'll be there for a quite while. Urban legend aside, during the 90's federal prison reforms were enacted. So Dorothy, you're not in the Kansas Federal Country Club anymore, and clicking your heels together simply won't work. Now, bend over for your cavity search.

So yeah, violent criminals should serve longer sentences, but computer criminals shouldn't get away with a slap on the wrist.

The issue of differential treatment between blue and white collar crime has raged for decades. And the song usually is that white collar criminals get off too easy. Do you think Bernie Nadoff got a fair sentence? The truth there is, they can't keep that smuck alive long enough to give him the 500 or so years he deserves.

Much like Gwailo, I'm really sick of listening to a bunch of punk a**, egomaniacal, possibly trannsexual, smack offs on Fadebook, telling me they're stealing everybody's personal information for our own good. Oh yeah, next time I'm fourteen, I'll buy into that.

If they're that fond of Bull S***, let them serve their sentences on a prison farm, where they can shovel it up for real, erstwhile we don't have to listen to it.

matrix86 matrix86 said:

gwailo247 said:

Guest said:

It's not like he killed or injured anyone, so give him a $10k fine or a few months in prison.

He participated in disrupting the lives of thousands of people. I've had friends who had to change all their contact info, credit cards, etc, because of this crap.

Hate to break it to you, but the courts don't give a flying flip how much time people had to spend changing all their info and canceling credit cards. All they care about is what the perp did in regards to the law.

But anyway, i've been having trouble pinning down exact penalties for the computer misuse act, but here's a tid bit from an article on the bill:

"The bill will increase the penalty for unauthorised access offences from six months to two years, and for unauthorised modification of computer systems from five to 10 years." This is from an article posted 6 years ago about amendments to the original act.

captaincranky captaincranky, TechSpot Addict, said:

Hate to break it to you, but the courts don't give a flying flip how much time people had to spend changing all their info and canceling credit cards. All they care about is what the perp did in regards to the law. .

Actually, at the federal level, and in a round about sort of way, they do.

Federal sentencing guidelines give and take points away for behaviours during the commission of a crime. You rob a bank, that's xx points. You're carrying a gun,that's more points. You pull it out, more points. You fire it, more points again. Points added are months added to your base sentence.

What has to happen, is the guidelines need to be updated in a reasonable manner, to compensate for the severity of impact of a given computer crime.

Law enforcement must continue to evolve and keep pace with cyber crime. certainly is.

gwailo247, TechSpot Chancellor, said:

matrix86 said:

Hate to break it to you, but the courts don't give a flying flip how much time people had to spend changing all their info and canceling credit cards. All they care about is what the perp did in regards to the law.

Nobody is getting my point it seems. My point is that in a cybercrime the amount of victims is staggering compared to "real world" crimes. When you steal the credit card numbers of 100,000 people, you're affecting 100,000 lives. If you steal one guy's wallet, you get, let's say, six months. Now, if you steal 100,000 guys "virtual wallets" you get six months. The amount of victims in a cyber crime is not taken into account when sentencing happens.

All I am saying is that when cyber criminals are sentenced, the amount of damage they do should be taken into account, not just the single count of computer hacking. If you set a building on fire in order to get back at your ex, and you end up killing 50 people, you don't get charged with one count of arson, and the deaths are just counted as incidental to the fire, you get charged with 50 counts of murder, and you get 50 life sentences.

I understand that sentencing guidelines don't reflect this fact, that is what bothers me. I don't think that people should get life sentences for stealing credit card numbers, but when you disrupt the lives of so many people, your sentence should reflect the amount of chaos that you did to society, even something as trivial as forcing people to get new credit card numbers. If a car thief can get a few years for stealing a car, why does a guy whose economic damages are in the millions in terms of man hours of work needed to rectify the problem he caused should get a slap on the wrist? If you steal 100,000 credit card numbers, you stole from 100,000 people. A decade in prison would be a fair penalty for such a crime, not six months and a $10,000 fine. How is that even a fair punishment for the damage the person has done? That's a joke, and it's not punishment, and it's not a deterrent. It's an inconvenience. And crimes of this scope, that cause this much damage and havoc to society, should not be punished with an inconvenience.

captaincranky captaincranky, TechSpot Addict, said:

Nobody is getting my point it seems.
I completely get your point, and agree with you completely. Which is why my feelings are so hurt, when you, in such a cavalier and disdainful fashion, brutally stuff me in the "nobody" category.

gwailo247, TechSpot Chancellor, said:

captaincranky said:

Nobody is getting my point it seems.
I completely get your point, and agree with you completely. Which is why my feelings are so hurt, when you, in such a cavalier and disdainful fashion, brutally stuff me in the "nobody" category.

My apologies good sir.

I will henceforth only refer to you as "nobody" when being interrogated by a angry cyclops.

NTAPRO NTAPRO said:

Why do they move people to California? I keep hearing about that place when Sony is mentioned...

NTAPRO NTAPRO said:

gwailo247 said:

Guest said:

It's not like he killed or injured anyone, so give him a $10k fine or a few months in prison.

He participated in disrupting the lives of thousands of people. I've had friends who had to change all their contact info, credit cards, etc, because of this crap.

No, he and all his little buddies should get nice long sentences of jail time, and even if they're not getting pounded in the ass daily, the threat of it, or getting beaten up, or having all your stuff taken away from you, will make them reconsider the value of LULZ.

People like you are exactly the problem. Nothing happened to you, so you don't care, you think its funny. Perhaps you're 12 and having your identity stolen is not a big deal to you, but for people, adults, to whom it has happened, have had their lives disrupted for years while they try to restore their good name and credit.

Sentences need to be much harsher, so that hackers don't think that the worst thing that will happen to them if they end up getting caught is becoming an editor at Wired.

Not everyone gets pounded in the ass >_>

Load all comments...

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.