News

Roommate: Alleged hacker said he was paid to attack news site

Defendant's friend thought it was just a boastful claim

Alleged Palo Alto Online hacker Ross M. Colby told a housemate that he had hacked a news website for pay, according to testimony in San Jose federal court on Friday.

The revelation came after two days of largely technical testimony by FBI special agents and the Information Technology department staff of Palo Alto Online's parent company Embarcadero Media.

Colby is charged with two felonies and three misdemeanors relating to alleged computer intrusions leading up to the Sept. 17, 2015, shut down of five of the news organization's websites and erasure of internal file servers.

The former roommate, who is a software engineer, was one of four housemates sharing a residence in 2015 with Colby on South Van Ness Avenue in San Francisco.

He testified that when Colby told him about having hacked a newspaper website he didn't believe him and viewed it as just a boastful claim.

Help sustain the local news you depend on.

Your contribution matters. Become a member today.

Join

"He's made other hard-to-believe remarks," he said.

Neither the prosecutor nor Colby's defense attorney asked further questions of the roommate regarding the statement.

The roommate also testified that he once witnessed Colby successfully gain access to the protected areas of a friend's website, with the friend's permission, in order to demonstrate the site's vulnerability.

He testified that he and Colby had a number of conversations about computer security, and frequently had discussions about the Linux operating system and about Virtual Private Networks or VPNs, which are used to set up private internet addresses to maintain a user's anonymity.

The roommate said he helped Colby set up a VPN, but testified he had never participated in any hacking activity nor accessed anyone's email account without permission.

Stay informed

Get daily headlines sent straight to your inbox in our Express newsletter.

Stay informed

Get daily headlines sent straight to your inbox in our Express newsletter.

Vicki Young, Colby's attorney, tried to discredit the roommate's testimony by questioning him about previous mental health problems and drug use.

The roommate indicated he might want to take the Fifth Amendment against self-incrimination and decline to answer the questions about past drug use and was excused from the court for a short period of time so he could receive advice from a court-appointed attorney. He then returned to the witness stand and said he would testify fully and forthrightly.

Young questioned the reliability of his memory and whether it had been affected by his drug use.

But the roommate disputed that his memory was impaired. While all drugs affect memory in some sense, his memory would not have been greatly affected, he said.

"I was employed as a software engineer, which required a lot of memory," he added.

He said he was not using drugs any longer, nor at the time when Colby made his admission regarding a hack. He was in a drug rehabilitation program at that time, he testified.

He reconfirmed on questioning from prosecutors that he clearly remembered his conversation about the hack with Colby and that it had taken place in the apartment hallway.

Because he has not been charged with any crime, Palo Alto Online is not publishing his name.

The roommate also testified that he held no ill feelings toward Colby and still considered him a friend.

"I hope he will still think of me as his friend," he said, despite his testimony.

The roommate appeared pursuant to a subpoena from the government, as did all prosecution witnesses.

Earlier in the day, John Colby, Ross Colby's father, testified that his son was visiting at the father's residence in Massachusetts in late July 2015 for about ten days, a period during which intrusions into Embarcadero's system occurred.

Prosecutors had previously showed that John Colby's home IP addresses -- the string of numbers identifying specific internet connections -- were used to access the email accounts of Embarcadero Media employees during late July and early August 2015.

The elder Colby, a retired Massachusetts state trooper, said he has never accessed another person's email account without their permission.

Evidence presented by the FBI also showed that the IP address at Ross Colby's San Francisco residence had been used to access the Embarcadero IT employees' email accounts, as was the IP address of the Flying Pig Bistro, a small cafe across the street from Colby's Van Ness Avenue residence frequented by Colby.

In her cross-examination of FBI special agent Anthony Frazier, Young focused on numerous connections that were made into the Embarcadero accounts using VPNs that hid the IP address of the person connecting, and pointed out that Colby's own email accounts were also accessed from untraceable IP addresses.

But during Assistant U.S. Attorney Susan Knight's redirect questioning, Frazier said that a person using a VPN could use it to access their own email account while using another device to access another site.

Prosecutor Joe Springsteen asked about the significance of a suspect using a private IP address to access his personal account if the period of use was in close proximity to the IP address being used for criminal activity.

"If a suspect used an IP address to conduct criminal activity and then personal activity it would indicate that the person was the same individual," Frazier said.

John Allan Arsenault, general counsel for London Trust Media, a VPN company, testified about how many VPN companies, including his, intentionally don't retain logs of Internet activity of their clients so that they cannot be produced in response to subpoenas from law enforcement or others. London Trust Media operates the brand Private Internet Access (PIA), which owned several IP addresses used to hack Embarcadero Media.

Private Internet Access does not log user activity, such as what files they accessed or changes they made to a website.

The company accepts many kinds of payment methods, including cryptocurrency, but it doesn't keep records of the individual's name and address. The only record of the customer maintained is the email address provided when signing up for the service.

There are many legitimate uses for VPNs, including by large corporations with worldwide operations, law enforcement and investigative journalists who might want to protect their sources, but he admitted some people use them for nefarious purposes.

Arsenault said he could not find any record of Ross Colby subscribing to the VPN service when he searched using Ross Colby's two known email addresses, which he received from law enforcement.

But that means little, he said.

"We're limited to search by what the government gives us. Just because we can't find it doesn't mean" they didn't use the VPN service.

"Someone could create a throw-away (email) account to subscribe to us," he said.

Someone using Private Internet Access-owned IP addresses did log in to the email accounts of Embarcadero Media IT employees Frank Bravo, Chris Planessi and Cesar Torres in early August, he said.

The person used at least three Private Internet Access-owned IP addresses to gain access to the employees' accounts dozens of times, Arsenault said. Cesar Torres' Google accounts were accessed on Aug. 4 and Planessi's Google accounts on Sept. 14 and 15.

Some of the dates, particularly in August, were also when John Colby's accounts in Massachusetts were used to hack the Embarcadero IT employees' addresses.

Keena Willis, a senior paralegal compliance officer for GoDaddy.com, a domain name-hosting company, testified that on Sept. 17, 2015, starting at about 10:48 p.m., someone began altering five Embarcadero Media-owned domain names, including embarcaderomediagroup.com, paloaltoonline.com, almanacnews.com, supportlocaljournalism.com and tourdemenlo.com.

At 11:12 p.m., someone canceled PaloAltoOnline.com with the others following in the minutes thereafter. The domain pages were sent to a parked page which contained the Guy Fawkes image and a notice that the Embarcadero websites had been hacked.

Meanwhile, Embarcadero would not receive notifications of the shut downs because it no longer had control over its email addresses. The Google Mail MX records, which specify a mail server responsible for accepting email messages on behalf of a domain, were also sent to another black hole at nowherenowherenowhere.net.

"The emails would literally go nowhere," Willis said.

The hacker also changed the contact phone number from Embarcadero's general office number to one at a 404 area code in Atlanta, Georgia. If GoDaddy tried to contact the subscriber, it would not have been able to reach the company, she said. The FBI previously testified the number belonged to an individual who was not implicated in the crime.

Embarcadero Media IT Director Frank Bravo was able to change the domains back to Embarcadero Media that same night after submitting a credit card number that GoDaddy used for verification. But it took five days to get all of the changes fully corrected.

Both sides are expected to rest their cases and deliver closing arguments on Monday. The jury is expected to begin deliberations that same day.

Read more articles on Colby's trial:

Second day of hacking trial focuses on FBI investigation

Accused Palo Alto Online hacker allegedly intended economic damage

Trial of alleged Palo Alto Online hacker to begin

Craving a new voice in Peninsula dining?

Sign up for the Peninsula Foodist newsletter.

Sign up now
Sue Dremann
 
Sue Dremann is a veteran journalist who joined the Palo Alto Weekly in 2001. She is a breaking news and general assignment reporter who also covers the regional environmental, health and crime beats. Read more >>

Follow Palo Alto Online and the Palo Alto Weekly on Twitter @paloaltoweekly, Facebook and on Instagram @paloaltoonline for breaking news, local events, photos, videos and more.

Roommate: Alleged hacker said he was paid to attack news site

Defendant's friend thought it was just a boastful claim

by / Palo Alto Weekly

Uploaded: Sat, Jun 2, 2018, 7:26 pm
Updated: Mon, Jun 4, 2018, 8:10 am

Alleged Palo Alto Online hacker Ross M. Colby told a housemate that he had hacked a news website for pay, according to testimony in San Jose federal court on Friday.

The revelation came after two days of largely technical testimony by FBI special agents and the Information Technology department staff of Palo Alto Online's parent company Embarcadero Media.

Colby is charged with two felonies and three misdemeanors relating to alleged computer intrusions leading up to the Sept. 17, 2015, shut down of five of the news organization's websites and erasure of internal file servers.

The former roommate, who is a software engineer, was one of four housemates sharing a residence in 2015 with Colby on South Van Ness Avenue in San Francisco.

He testified that when Colby told him about having hacked a newspaper website he didn't believe him and viewed it as just a boastful claim.

"He's made other hard-to-believe remarks," he said.

Neither the prosecutor nor Colby's defense attorney asked further questions of the roommate regarding the statement.

The roommate also testified that he once witnessed Colby successfully gain access to the protected areas of a friend's website, with the friend's permission, in order to demonstrate the site's vulnerability.

He testified that he and Colby had a number of conversations about computer security, and frequently had discussions about the Linux operating system and about Virtual Private Networks or VPNs, which are used to set up private internet addresses to maintain a user's anonymity.

The roommate said he helped Colby set up a VPN, but testified he had never participated in any hacking activity nor accessed anyone's email account without permission.

Vicki Young, Colby's attorney, tried to discredit the roommate's testimony by questioning him about previous mental health problems and drug use.

The roommate indicated he might want to take the Fifth Amendment against self-incrimination and decline to answer the questions about past drug use and was excused from the court for a short period of time so he could receive advice from a court-appointed attorney. He then returned to the witness stand and said he would testify fully and forthrightly.

Young questioned the reliability of his memory and whether it had been affected by his drug use.

But the roommate disputed that his memory was impaired. While all drugs affect memory in some sense, his memory would not have been greatly affected, he said.

"I was employed as a software engineer, which required a lot of memory," he added.

He said he was not using drugs any longer, nor at the time when Colby made his admission regarding a hack. He was in a drug rehabilitation program at that time, he testified.

He reconfirmed on questioning from prosecutors that he clearly remembered his conversation about the hack with Colby and that it had taken place in the apartment hallway.

Because he has not been charged with any crime, Palo Alto Online is not publishing his name.

The roommate also testified that he held no ill feelings toward Colby and still considered him a friend.

"I hope he will still think of me as his friend," he said, despite his testimony.

The roommate appeared pursuant to a subpoena from the government, as did all prosecution witnesses.

Earlier in the day, John Colby, Ross Colby's father, testified that his son was visiting at the father's residence in Massachusetts in late July 2015 for about ten days, a period during which intrusions into Embarcadero's system occurred.

Prosecutors had previously showed that John Colby's home IP addresses -- the string of numbers identifying specific internet connections -- were used to access the email accounts of Embarcadero Media employees during late July and early August 2015.

The elder Colby, a retired Massachusetts state trooper, said he has never accessed another person's email account without their permission.

Evidence presented by the FBI also showed that the IP address at Ross Colby's San Francisco residence had been used to access the Embarcadero IT employees' email accounts, as was the IP address of the Flying Pig Bistro, a small cafe across the street from Colby's Van Ness Avenue residence frequented by Colby.

In her cross-examination of FBI special agent Anthony Frazier, Young focused on numerous connections that were made into the Embarcadero accounts using VPNs that hid the IP address of the person connecting, and pointed out that Colby's own email accounts were also accessed from untraceable IP addresses.

But during Assistant U.S. Attorney Susan Knight's redirect questioning, Frazier said that a person using a VPN could use it to access their own email account while using another device to access another site.

Prosecutor Joe Springsteen asked about the significance of a suspect using a private IP address to access his personal account if the period of use was in close proximity to the IP address being used for criminal activity.

"If a suspect used an IP address to conduct criminal activity and then personal activity it would indicate that the person was the same individual," Frazier said.

John Allan Arsenault, general counsel for London Trust Media, a VPN company, testified about how many VPN companies, including his, intentionally don't retain logs of Internet activity of their clients so that they cannot be produced in response to subpoenas from law enforcement or others. London Trust Media operates the brand Private Internet Access (PIA), which owned several IP addresses used to hack Embarcadero Media.

Private Internet Access does not log user activity, such as what files they accessed or changes they made to a website.

The company accepts many kinds of payment methods, including cryptocurrency, but it doesn't keep records of the individual's name and address. The only record of the customer maintained is the email address provided when signing up for the service.

There are many legitimate uses for VPNs, including by large corporations with worldwide operations, law enforcement and investigative journalists who might want to protect their sources, but he admitted some people use them for nefarious purposes.

Arsenault said he could not find any record of Ross Colby subscribing to the VPN service when he searched using Ross Colby's two known email addresses, which he received from law enforcement.

But that means little, he said.

"We're limited to search by what the government gives us. Just because we can't find it doesn't mean" they didn't use the VPN service.

"Someone could create a throw-away (email) account to subscribe to us," he said.

Someone using Private Internet Access-owned IP addresses did log in to the email accounts of Embarcadero Media IT employees Frank Bravo, Chris Planessi and Cesar Torres in early August, he said.

The person used at least three Private Internet Access-owned IP addresses to gain access to the employees' accounts dozens of times, Arsenault said. Cesar Torres' Google accounts were accessed on Aug. 4 and Planessi's Google accounts on Sept. 14 and 15.

Some of the dates, particularly in August, were also when John Colby's accounts in Massachusetts were used to hack the Embarcadero IT employees' addresses.

Keena Willis, a senior paralegal compliance officer for GoDaddy.com, a domain name-hosting company, testified that on Sept. 17, 2015, starting at about 10:48 p.m., someone began altering five Embarcadero Media-owned domain names, including embarcaderomediagroup.com, paloaltoonline.com, almanacnews.com, supportlocaljournalism.com and tourdemenlo.com.

At 11:12 p.m., someone canceled PaloAltoOnline.com with the others following in the minutes thereafter. The domain pages were sent to a parked page which contained the Guy Fawkes image and a notice that the Embarcadero websites had been hacked.

Meanwhile, Embarcadero would not receive notifications of the shut downs because it no longer had control over its email addresses. The Google Mail MX records, which specify a mail server responsible for accepting email messages on behalf of a domain, were also sent to another black hole at nowherenowherenowhere.net.

"The emails would literally go nowhere," Willis said.

The hacker also changed the contact phone number from Embarcadero's general office number to one at a 404 area code in Atlanta, Georgia. If GoDaddy tried to contact the subscriber, it would not have been able to reach the company, she said. The FBI previously testified the number belonged to an individual who was not implicated in the crime.

Embarcadero Media IT Director Frank Bravo was able to change the domains back to Embarcadero Media that same night after submitting a credit card number that GoDaddy used for verification. But it took five days to get all of the changes fully corrected.

Both sides are expected to rest their cases and deliver closing arguments on Monday. The jury is expected to begin deliberations that same day.

Read more articles on Colby's trial:

Second day of hacking trial focuses on FBI investigation

Accused Palo Alto Online hacker allegedly intended economic damage

Trial of alleged Palo Alto Online hacker to begin

Comments

That's interesting
Another Palo Alto neighborhood
on Jun 3, 2018 at 12:34 am
That's interesting, Another Palo Alto neighborhood
on Jun 3, 2018 at 12:34 am

I hope we will find out who might have paid this guy. At the time of the hack, Paloaltoonline was reporting a lot of controversial school district stuff with persons involved having very kneejerk CYA tendencies. It would be interesting to know over what local issue someone would pay to take out the newspaper, and if any other local entities may have been affected.


resident
Downtown North
on Jun 3, 2018 at 9:34 am
resident, Downtown North
on Jun 3, 2018 at 9:34 am

These allegations are interesting if true, but the article is not very convincing. If a friend told me he was being paid to commit a felony, I would immediately ask who is paying him. Why is that never discussed in this article?

[Moderator's Note: As the story states, the roommate testified that he didn't believe Colby at the time he made the statement about having been paid and considered it just another "hard-to-believe" boast. Unless Colby chooses to testify, which prosectors can't compel, there is no way for this to be probed with him. Colby's defense attorney has indicated she is unlikely to call Colby to testify.]


Online Name
Registered user
Embarcadero Oaks/Leland
on Jun 3, 2018 at 9:54 am
Online Name, Embarcadero Oaks/Leland
Registered user
on Jun 3, 2018 at 9:54 am

Very interesting. Were the sites hacked during an election period? We need to know who paid the hacker.


resident
Downtown North
on Jun 3, 2018 at 10:23 am
resident, Downtown North
on Jun 3, 2018 at 10:23 am

The hack was in September 2015, so probably not the work of Steve Bannon.


Juan
Mountain View
on Jun 3, 2018 at 1:48 pm
Juan, Mountain View
on Jun 3, 2018 at 1:48 pm

I would not be shocked if someone actually paid this person to do the hack. We live in an era where the President of the United States himself is attacking journalism and independent journalists for having the courage to report the truth. It's not acceptable to attack the free press for any reason, I hope the judge throws the book at this guy.


That’s Interesting
Another Palo Alto neighborhood
on Jun 3, 2018 at 2:46 pm
That’s Interesting, Another Palo Alto neighborhood
on Jun 3, 2018 at 2:46 pm
That's Interesting
Another Palo Alto neighborhood
on Jun 3, 2018 at 8:28 pm
That's Interesting, Another Palo Alto neighborhood
on Jun 3, 2018 at 8:28 pm

I'm just saying'. If the guy was paid, the most interesting thing about this case is who paid him and why.


CrescentParkAnon.
Crescent Park
on Jun 3, 2018 at 11:36 pm
CrescentParkAnon., Crescent Park
on Jun 3, 2018 at 11:36 pm

> Young questioned the reliability of his memory and whether it had
> been affected by his drug use.
>
> But the roommate disputed that his memory was impaired. While all
> drugs affect memory in some sense, his memory would not have
> been greatly affected, he said.
>
> "I was employed as a software engineer, which required a lot of
> memory," he added.

This is kind of a riot. A lot of programmers take drugs, drink massive caffeine,
eat sugary junk foods, the idea that any of this would affect someone's memory in
testifying in court is kind of a desperation move.

But, I do have to admit when you look at the Internet, and all the never-ending,
and never-to-end security holes in everything that touches it, whoever designed
and programmed it was likely on the very best drugs money could buy.

Not only that, but in my experience, a lot, maybe most software engineers
are unscrupulous, dishonest, and more out for themselves than they are
to do an honest jobs, A surprising number will leave bugs in software to
keep and open-ended support contract, or build in back-doors to systems
so they can access, hack and grab data or obfuscate another hack by using
a former employer's system.

The ethics and morals of a surprising number of techies are to say the very
least questionable, yet it continues to exist because it raised the importance
and salaries of all. Remember the Y2K crisis?

We would be better off with the old point to point telco systems and not a
system where practically anything is findable, accessible and attackable from
anywhere. What we have today creates crime and incentivizes major
commercial and government abuse, and we have no Earthly idea what will
happen with and to it in the future at all, except that multitudes of experts
keep saying this is a global disaster waiting to happen, and impossible to
autopsy if and when it does.

It would be great if our law-enforcement agencies could use this right, corruption
and organized crime could be ended inside of a year ... but is that happening.
What is really going on? What is the next Ed Snowden going to tell us or will
he be surveilled and stopped before he can click submit?


Jim
Menlo Park
on Jun 4, 2018 at 1:32 pm
Jim, Menlo Park
on Jun 4, 2018 at 1:32 pm

> But, I do have to admit when you look at the Internet, and all the never-ending,
and never-to-end security holes in everything that touches it, whoever designed
and programmed it was likely on the very best drugs money could buy.

Hardly. The issue is that this stuff is very complex and current methods are inadequate to achieve perfection--flaws cause security holes.

> Not only that, but in my experience, a lot, maybe most software engineers
are unscrupulous, dishonest, and more out for themselves than they are
to do an honest jobs

Not in my experience. It depends on who you associate with.


A Noun Ea Mus
Professorville
on Jun 4, 2018 at 2:08 pm
A Noun Ea Mus, Professorville
on Jun 4, 2018 at 2:08 pm

If someone did indeed pay for this crime to be done...why didn't the district attorney allow for a reduced sentence in exchange for the defendant revealing/testifying who such person or organization was? Give him his "Queen for a Day" moment. On the other hand maybe I've watched too many Law and Order episodes? (music chime for effect!)


CrescentParkAnon.
Crescent Park
on Jun 5, 2018 at 1:16 am
CrescentParkAnon., Crescent Park
on Jun 5, 2018 at 1:16 am

Jim

> Hardly.

Recognize sarcasm.

> It depends on who you associate with.

It depends on how closely you look and how open your eyes are. There are a lot of bad actors, or selfish actors in software engineering. Managers never have a clue about what people are doing unless they are very technical and actually look at code.


Don't miss out on the discussion!
Sign up to be notified of new comments on this topic.

Post a comment

Sorry, but further commenting on this topic has been closed.