The Trackback and Arrest of Sabu

A pastebin entry on June 25, 2011 accused Sabu of hacking into HBGary, among other things. It started with an anti-“anti-sec” argument.

From what we’ve seen these lulzsec/gn0sis kids aren’t really that good at hacking. They troll the internet and search for sqlinjection vulnerabilities as well as Remote File Include/Local File Include bugs. Once found they try to download databases or pull down usernames and passwords. Their releases have nothing to do with their goals or their lulz. It’s purely based on whatever they find with their “google hacking” queries and then release it.

What’s funny to us is that these kids are all “Anti-Sec” yet by releasing their hacks they are forcing these companies to have to hire security professionals which keeps the Security Industry that they are trying to expose and shut down, in business.

This argument is one I agree with and have been presenting at numerous conferences (including last week’s RSA) but with a slight difference. I try not to fall into judging those who attack as good/bad but rather speak to a measure of the strength of defence. Here is why: the problem with an argument over who is “really that good at hacking” is that there are as many different definitions of what constitutes good hacking as there are people who claim to be good at it.

Let me try to explain by way of popular cartoons. Many seem to rate hacking skills as though they are channelling a classic Wile E. Coyote and Road Runner dichotomy (winners win and losers are always losing — easy to pick a side).

However I see competition in the arena of trust (the real root of hacking) more accurately reflected by the series of satirical cartoons by Antonio Prohías (Spy vs. Spy).

I am not just asserting Spy vs. Spy is a closer reflection of reality. I also am drawing on history (pun not intended) behind the cartoons. The origin of the balance depicted in Spy vs. Spy by Prohías comes from a harsh critique of Communism in Cuba. He depicted Soviets as deceptive and therefore untrustworthy allies of Castro, as you can see in this 1960 example from the Newspaper El Avance Criollo that says “I’ll stay just for dinner and leave”.

Imagine now that the hackers who compete for status are highly political. It does not have to be Castro and Khrushchev. Who should we say is “good at hacking” when two sides test levels of trust? The source of ambiguity in Spy vs. Spy is reality.

The point is that we should not settle into the comfort of the Road Runner fantasy but rather try to understand the Spy vs. Spy battle. The larger political and social arena makes the question of who to call “really that good at hacking” far more complex than just technical ability.

Back to the story, someone other than Sabu in early June posted Sabu’s real name, email, IP and location online. By the end of June it was public on Pastebin.

Name: Hector Xavier Montsegur
Location: New York, New York
Race: Puerto Rican ?

Handles: 548U, hectic_les, leon
IP: (

Profiles: ?


dox confirmed by archived whois entries for (his personal site according to #hq logs which he anonymized DNS after release)

As the information started to spread the authorities faced losing a lead and the element of surprise to seize evidence. They moved in only a few weeks later and made an arrest of a man living on government assistance. has identified as Hector Xavier Monsegur. Working under the Internet alias “Sabu,” the unemployed, 28-year-old father of two allegedly commanded a loosely organized, international team of perhaps thousands of hackers from his nerve center in a public housing project on New York’s Lower East Side. After the FBI unmasked Monsegur last June, he became a cooperating witness, sources told “They caught him and he was secretly arrested and now works for the FBI,” a source close to Sabu told

This was not the arrest of Road Runner, or even vice versa (Road Runner as law enforcer). Whether or not we say the accused was the most brilliant hacker, or a “computer genius”, he showed an inability to defend himself from those who counter-attacked. In other words a competition of pride and status with technology easily can be set aside when we look at the overall strength of defence.

There were trivial technical weaknesses (a failure to block direct communication — he could have just setup a simple fail-safe proxy — and a failure to move communication paths to defeat traffic profiling) but it was all coupled with other weakness in defence (he had numerous exposed assets). Technical weakness means lessons will be learned but the latter, a fundamental business logic flaw, is what truly forced Sabu to adjust his trust relationships.

The agents worked their prey, using the time-honored good cop/bad cop routine. Bad cop stormed out of Monsegur’s apartment yelling, “That’s it, no deal, it’s over, we’re locking you up.”

The computer genius finally gave in, surrendering to the most clichéd tool in the law enforcement arsenal. But the agents had more than just skills – they had leverage.

“It was because of his kids,” one of the two agents recalled. “He’d do anything for his kids. He didn’t want to go away to prison and leave them. That’s how we got him.”

It is not clear yet whether all the facts are in (see PDF of “United States Attorney Charges”) but if I were to take a wild guess I would say Sabu’s critical flaw in his operation was not from technical failures, although those didn’t help, but rather from his bold sense of entitlement.

Some reports have suggested he was lazy but I think it more accurate to say he was motivated for easy gains without intention of a fair exchange or ability to generate sufficiency. He was taking hand-outs from the government while attacking it, for example. That is a very difficult strategy and platform to maintain, especially as an activist trying to build trust among peers. Sabu apparently did not factor how much his defence depended on weakened relationships; like a Spy caught out by another Spy, he probably only realised too late how much he stood to lose.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.