Martin McKeay

Infosec Sell Out outed, disappears

By Martin McKeay
July 18, 2007 12:18 PM EDT
When the Information Security Sell Out site appeared in February, I wasn't particularly happy about it, since one of the first posts on the site was a rant against the Security Bloggers Meetup I helped organize at RSA in February.  If it had just been a rant by someone who had been willing to identify themselves, I wouldn't have been too put out, but the author was making claims of having been there.  I don't mind being criticized for something I've done, as long as you're willing to identify yourself and take a dose of your own medicine.  I find hiding behind a mask of anonymity dishonest, especially if you're just using it to make malicious attacks.

The identity of the Sell Out remained a point of curiosity for me, but it really bugged some of the other people he used the site to attack.  And, no surprise to anyone, when you attack a group of security professionals, someone is going to find out who you really are.  Last night an anonymous source (how apropos) revealed to Cutaway the identity of the Sell Out.  The Sell Out is primarily the hacker LMH, responsible for the Month of Apple bugs, but he's apparently backed by the Phrack High Council. And, perhaps coincidentally, all of the content on the site was taken down just a few minutes after Cutaway posted this information to his blog.  This may have had something to do with the claim of having developed an Apple worm, or it may just be that the Sell Out was afraid to continue with his identity publicly revealed.

Whatever the reason, the Information Security Sell Out site is no more.  More accurately, it's now the "Security Information" site.  All of the posts that had been written since it's inception in February have gone missing.  Of course, they're probably still available through the Wayback Machine or Google caching, so taking down the posts seems a bit pointless to me.  Maybe one of the first posts they'll make is an explanation of why the site was scrubbed. 

Anonymity on the Internet is an illusion.  You can remain anonymous, but only as long as you haven't attacked someone who's got the time, energy and capability to track you down.  You might get away with one or two posts to a forum, but trying to keep up a blog attacking security researchers and professionals is bound to get you outed sooner or later.  Which is exactly what LMH found out.