Archive for the ‘Uncategorized’ Category

Logica, National Special Event: Morgan (part 4)

Friday, May 3rd, 2013

axex

0201-K81864-12 Notification Letter from Axex

Translated version of Axex’s police report for Applicate.

Contact details
2012-03-19

Reporter:
Yv*nn* W*stm*n, CEO
Infodata Applicate AB
556436-3421
Box 34101
100 26 STOCKHOLM

(The reporter requests that the report is classified if possible since publicity about the event can affect the company more than the event itself. The reporter requests to receive a copy of the report sent to them.)

CEO Yv*nn* W*stm*n describes the situation at Logica as “panicky”.
Responsible person at Logica is

J*h*n R*p*, C of Operations
Logica Sverige AB
073-xxx xx xx
He is in maximum charge of Logica’s operations in Sweden.
CEO Yv*nn* W*stm*n requests that the Security Service speaks to him if possible before he takes any panicky actions.

Introduction
Axex co-operates with Infodata Applicate AB in security related matters. The company has recently been attacked by hackers and has requested us to report the event.

Infodata Applicate AB, 556436-3421, wants to report hacking where somebody unknown has gained access and stolen information from their servers in the network.

Procedure
Somebody has illegally downloaded information from Applicate. Logica is the company that supplies Applicate infrastructure. The attack has been made through Logica’s web application and from information received they have also accessed mainframes (which requires special knowledge).
In connection with the intrusion of Infotorg’s web applications the intruders have used Monique Wadstedt’s account. She is the lawyer that representet the American entertainment companies that were one of the parties in the Pirate Bay trial. Outgoing traffic has been going to two IP adresses at an ISP called Cogetel in Phnom Penh, Cambodia, Bahnhof and Tele2 mobile connection.

During the intrusion the attckers have downloaded amongst others, social security numbers for protected identities from 2007 (without names or other information). They have also downloaded the entire SPAR database incloding historical data from 4 years back in time.
It is estimated that 1.7 Tb information has been transferred out of Applicate’s storage servers.

Description
The 3rd-4th March 2012 Applicate’s IT manager noticed increased activity and load which exceeded normal level in the mainframes which they use. The increase wasn’t dramatic and they were insecure of what the reasons were.
Pretty soon IT personnel found that there was abnormal activity in the network.

Closer investigation found that an account belonging to a sales person at Applicate had performed 1600 transactions under one hour, which is impossible to do manually. They also found abnormal searches made by the same account.
Controls showed that the owner had not been at their or somebody else’s computer with access to the system. The account owner had been in sales meetings at the point of time.

Additional studies showed traces of FTP traffic and exportation of text files which is very rare at Applicate. One could also detect that Telnet communication started against the mainframe resources which is not normal.
Applicate made the conclusion that they were attacked and that somebody had accessed their servers.

By investigating the search queries made by the compromised user account they found that the permissions for the account had been increased and that some strings included in the code for permissions could only originate from Logica.

There are also details that Logica Sweden is about to fire upp to 450 employees as a saving measure.

Applicate has also found that the attackers used one of Logica’s group manager’s user account in their office in Bromölla to gain illegal access to information.

More extensive investigations were carried out and they showed that the attackers had hacked into and stolen information from the administrative permission system RACF in the mainframe. This system contains information about circa 100 000 users. They have also downloaded information from a system called PI, where information regarding permissions also occurs. These systems are in a UNIX mainframe environment.

Applicate has in its security work decreased the 200 accounts with highest permissions that have been found in the investigations to 2 accounts.

In its security work Applicate has found that somebody used Monique Wadstedt’s account. Wadstedt has had permissions and accounts in Applicate’s web interface that the intrudors have remade and created a mainframe account with superuser permissions. The intrudors have then used this access and permission to illegally download large amounts of files.
(Monique Wadstedt was the lawyer which represented the American entertainment industry in the Pirate Bay trial).

Applicate representatives have been informed by IBM specialists (hired by Logica) that investigated Logica’s mainframes and systems and found that there were over 20 years old user accounts remaining in the permission systems.
Regarding the Police connections to Applicate’s information systems they state that the Police has its own encrypted connection between Applicate’s mainframe and the Police’s mainframes.

After a detailed review of the situation Applicate has found that somebody downloaded circa 10 000 social security numbers belonging to people that had protected identities 2007-01-29. These numbers were extracted out of the system to be put in and complete the company services that Applicate ofers. Normally only the police can access the personal information that is connected to these numbers but it is not unlikely that a user with superuser permissions would be able to access and connect this information with accurate data.

Applicate has found that there have been searches made on people living around Borlänge, Ludvika and Smedjebacken. Queries have also been made on people in other parts of the country.

Moreover it has been detected that the intrudors through searching for the organisation number of the National Police Agency have searched for vehicles owned by the National Police Agency.

Other search queries have also been made.

The intrudors have also downloaded the SPAR database which also includes historical data 4 years back in time.

Upon examining outgoing traffic Applicate can state that traffic has gone to at least two IP addresses owned by Cogetel in Phnom Penh in Cambodia. Applicate has also detected exports to IP addresses in Germany and various other countries in Europe. Information has been downloaded using ISP Bahnhof and Tele2 mobile broadband with a prepaid SIM-card.

Stockholm 2012-03-19

P*d*r Q**st

Logica, National Special Event: Morgan (part 3)

Friday, May 3rd, 2013

infotorg_intrusion
Translated summaries of Logica security incident reports.

Logica Status report 2010-02-19, security incident

29th January 2010

Data is tranferred over FTP, large datasets are copied to an unknown address. The user identity that was used had at the time correct permissions and a valid password. The account used the NYTTPW (NEWPW) function to retrieve a valid password.

Logica has found that this account hasn’t been modified since September 2008, as far as RACF logs go.

2nd February 2010

An unauthorized person manages to log into an account in TPX, which isn’t protected by RACF. This account can be used to take over other active sessions and the attacker has that way hijacked another users permissions fully.

Besides the unprotected account the person has had full administrative permissions in the TPX system and used it for data manipulation. Due to RACF protection it hasn’t meant any risk for systems in the background.

The unprotected user identity in TPX has been set up this way since the last installation which was made circa one year ago. This is although the first known time that somebody has used the possibility to use this account to take over another user’s session.

The data stolen from the system on the 29th January contained a list of user identities without password protection. It is possible that this information made it possible, although it hasn’t been proven. The alternative being that the attacker knew beforehand.

4th February 2010

The possibility to log into TPX without RACF control was stopped. After this date there hasn’t been any successful attempts to take over an active session in TPX.

FTP to SYS19 and SYS3

On 29th January 2010 SEMA290 logged in through FTP and started retrieving files:

2010-01-29 20:39:21 SYS3 Failed login attempt through FTP. Fails since the user is revoked.
2010-01-29 20:59:42 SYS19 Resume password made through user E484RACF using routine NYTTPW
2010-01-29 22:58:28 SYS3 Failed login attempt through FTP. Fails since the user is revoked.
2010-01-29 22:58:28 SYS3 Failed login attempt through FTP. Fails since the user is revoked.
2010-01-29 22:58:32 SYS3 Failed login attempt through FTP. Fails since the user is revoked.
2010-01-29 23:02:46 SYS19 Invalid password, FTP
2010-01-29 23:17:48 Connects through FTP and retrieves a large amount of datasets and files.
2010-01-29 23:37:39 SYS3 Failed login attempt through FTP. Fails since the user is revoked.
2010-01-29 23:38:50 Failed login attempt due to revoked user.

Tests run with FTP, mirror environment

Logins through FTP against SYS19 has been done with the following userids:

SEMA290
NIXTE22
ITP0257

Has only tested login and listing the entire master directory.

Tests run with FTP, production environment

The following userids have been tested:

WMSTOTT

Has only tested to login and listing the entire master directory.

Summary

Tests have been made in the mirror environment, SYS19, to determine what kind of info can be retrieved over FTP.

All datasets in the USS part under TSO can be listed. This reveals some information e.g. usernames even though the libraries are protected via RACF.

Conclusions

Why it could happen

Userid and the possibility to change passwords for a couple demo users becomes known by an unauthorized person. This possibility is later used to log into and gathering data from the web interface. The same userid is later used for connecting over FTP to SYS19 and gather information.

It’s possible to sign in through FTP using demo users because RACF users in the environment are automatically assigned a UID at login. UIDs are assigned to enable the user to use resources under USS (ftp, telnet, sftp, webserver etc).

User that don’t need these functions shoul not be assigned a UID.

Sine the purpose of the system is to be accessible from anywhere it is possible to login with FTP having a userid and password.

TPX logins via userid without specifying passwords has been possible due to a modified parameter in TPX. This parameter was modified in connection with the production environment being upgraded on 8th February 2009. This was reconfigured by a job ran on SYS3 and SYS19, job name ADMIN.

Report extern deliveries, 2012-03-24

7th March
Applicate and Logica discovers unusual activity in the mainframe environment. After a small group of people did a quick investigation during the night they block specific accounts in the system. In the morning the group is expanded and additional managers are notified. On the 13th March the investigation reveals that the activity has occured since the 25th February 2012.

1th March
Logica calls in IBMs internaional incident investigators and security specialist. The 19th March the picture is so clear that a police report is handed from Applicate to the Security Service.

The intrusions are partially made over existing file transfer services using the FTP function, partially via interactive logins via ordinary remote control functionality, and finally via the attackers’ own placed backdoors. The intrusions have often occurred in combination with large data retrievals from the systems. Additionally intrusinos and abuse has been done in Applicate’s web services. The abuse has amongst others consisted of unauthorized credit checks.

The investigation finds that there are two points of intrusion, like shared accounts between the mainframe partitions, which allows the attackers to access data stored on both partitions in the cases where the attackers have been lucky to retrieve one of these accounts. Which they unfortunately did.

Estimated 10000 files/datasets have been retrieved from SYS19 by unauthorized people. Estimated 600 files/datasets have been retrieved from SYS3 by unauthorized people. The files and datasets that were retrieved contain various types of company information, including a list from 2007 over social security numbers with filename “E897.SPAR.SKYDD”.

Over 120 000 accounts were retrieved from the user database RACF. Retrieval has been done of user information, by which the investigation from forgotten files could conclude that important password information was missing. However it can’t be excluded that such information has leaked. Large amounts of these accounts have been blocked or revoked. Circa 70000 active customer accounts remain today in the system as preventative actions and cleaning continues.

Specifically interesting to note regarding the accounts:

– The first account that was verified cracked and used 25th February belongs to a file transfer job from the Swedish parliament. How somebody gained access to this account is still unknown.
– One of the accounts frequently used by the attackers originally belonged to Monique Wadsted, one of the lawyers hired by the entertainment industry in the so called Pirate Bay trial.
– Multiple accounts used, including Wadsted’s, have been manipulated in the RACF database to increase permissions. The work of both the incident and the investigation continues.

Status on whether the intrusion is stopped or continues

The attack surface has narrowed through various technical limitations.

Intrusion attempts to SYS19 is handled by whitelisting FTP traffic from approved IP addresses and protocol filtering previously used in the attacks (telnet traffic and traffic on port 443). Misc traffic that hasn’t been proven legitimate has been filtered.

Intrusion attempts to SYS3 is handled by whitelisting traffic to FTP and filtering illegitimate traffic.

All system administrator accounts have changed passwords, compromised administrator accounts are replaced.

Last found intrusion in SYS3 occurred on 23rd March through FTP and telnet. Last found intrusion on SYS19 occured on 16th March through telnet.

Continous intrusion attempts happen targeting web services based on the list of usernames stolen from SYS19.

Detailed information regarding known leaked information

Description of contents in the files copied from respective system.

SYS19
– SPAR (Statens Person och Adressregister) information, list of social security numbers for citizens born 1964 and later.
– Infotorg invoice information – Invoices, amounts of transactions per customer.
– PI (logins on Infotorg) – Files sent to LIME (CRM). All information regarding customers in Infotorg and their permissions.
– Infodata (Postal service) – Adress matching
– Infotorg (PWC) – Specification of project marking for invoices
– The police – 2 million social security numbers, only.
– Applicate (Radiotjänst) – Invoice information
– Infotorg/Infodata/Police – Invoice information, transaction type and amounts.
– Police – Transaction statistics from 2006
– Infodata – Three datasets where the file name contains the text “protected”. The datasets are from year 2007. 10 793 social security numbers in total, a copy and two originals have been stolen.
– Applicate (mixed customers) – Invoice statistics
– Infodata – datasets containing social security numbers in relation to eachother
Infotorg – BASUN (company information from SCB). Base information, names, legal form, company size etc.

SYS3
– FLISTEST – Handelsbanken’s invoices to their customers 2006 and 2007

– According to the bailiff agency circa 40 cleartext files containing customers and debtors that are normally sent to the UNIX systems have been copied from SYS3. The files contain social security numbers, debts, who the person owes money. The files also contain information about debts for people with protected identities.
– Payment files for Swedbank and signet for signing payment files have been copied from SYS3, the signet has been replaced.
– The Cobol source code for the program Navet has been copied together with KFM’s Navet certificate. The code was used by the intruder to find vulnerabilities in the Navet application. The application is however only available from the tax agency’s network and not publicly available.

Information about how the escalation was made during the intrusion

Applicate and Logica found on the 7th March that SEMCICA3 in SYS19 had an unusually high CPU usage, many transactions were running by a questioned user. The activity was considered unauthorized and a security incident was stated on the 8th March wherein an investigation began. (IM3107818).

16th March
Applicate found that the attacker established more access to the system and calls for a crisis meeting. Logica establishes Major Incident Manager and calls in specialist competence from IBM.

Applicate files a report at the Security Service on 19th March.

Intrusion is found in SYS3 whereas Logica contacts the Security Service with a report 21st March.

Information about accounts used at information retrieval

25th February
The first known account used was an account from the Swedish Parliament (AVIY356). This user has through zOS and USS began downloading approximately 400 datasets and files from Logica. It has been found that an amount of accounts have been used throughout time and that many of them have been manipulated to receive special and superuser permissions in the systems.

Which sort of traffic was queried from Dalarna

An investigation has been made on a selection of search queries done on Infotorg. As previously mentioned there have been searches done on Jim Keyzer, Gottfrid, PRQ, Police registered cars in the car registry etc.

Below follows a short selection with explanations:

LN: Swedish representative for space project Cospar

JE: Could be one of the attackers searching for himself (?)

MB: Police who took action against filmmaker and forced deletion

Håkan Marklund: Robinson participant (Swedish TV show)

Mikael Persbrandt: Actor

RÅ: Appears to be a technician certifying himself

LB: Cat owner and kindergarten teacher, possibly in Norrtälje

ET: Charged for knife stabbing in Ludvika

AB: 17 year old blogger

Reflection:
Young people have probably received login details for Infotorg by the more competent main actors. These younggsters have searched for famous people, a blogger and people in Ludvika/Smedjebacken and have most likely not had a slightest idea about the eventual risks of the searching. Probably anchoring in Ludvika/Smedjebacken.

Other affected organisations

After going through retrieved datasets it has been found that affected organisations can be limited to:

– Logica
– Applicate
– Tax agency
– Bailiff agency

Logica, National Special Event: Morgan (part 2)

Friday, May 3rd, 2013

Applicate incident description

bisnode_overview

7th March 2012

An Applicate employee receives a warning message at 7 AMsaying that there is unusual activity in the mainframe environment; one of the InfoTorg users is trying to access a large amount of files that the employee administrates and the user account isn’t authorized to view.

The employee contacts Applicates security manager around 7:30 AM explaining that the user account is trying to access the circa 10 000 files which the employee administrates.

The security manager contacts Applicates operations manager informing him what has happended. The operations manager in turn contacts Applicates CEO to report the findings. Applicate forms a team to handle the incident. The team consists of Applicate’s CEO, the security manager and operations manager.

The Infotorg account which is being used turns out to be owned by one of the Infotorg sales people and the account is locked. The sales person is contacted to ensure that the login details are used properly and hasn’t been handed over to third party.

The operations manager contacts Logica to book a meeting for the following day.

8th March 2012

The Applicate incident team has the booked meeting with Logica around 9:30 AM, Logica’s customer manager and Logica’s security manager is present. Details are given to Logica during the meeting.

9th March 2012

It is discovered that multiple user accounts have been used in a strange and improper way. IP addresses are traced to various countries, including Cambodia, from where Infotorg’s customers usually don’t connect.

Applicate’s CEO contacts Logica’s CEO with information that Applicate suspects that there is an occurring security incident affecting Logica. Logica assigns Applicate a person who helps Applicate block suspicious IP addresses that are used to access breached accounts.

10th and 11th March 2012

Applicates incident team analyzes logfiles and suspected IP addresses and block IP addresses and user accounts that are believed to be used in improper ways.

12th March until 20th March 2012

Daily meetings are held between Applicate and Logica. Applicates incident team continues analyzing logs and blocking suspicious IP addresses and user accounts. It is noticed that the amount of user accounts being used improperly keeps escalating. On the 19th March Applicates incident team contacts the police.

21th March 2012

8:20 AM Logica informs Applicate that unaothorized logins have been made not only in SYS19, the machine dedicated to Applicate and Infotorg, but also in SYS3. It is also revealed that somebody has accessed system wide admin account, a NUS, that grants nearly full permissions to SYS3 and SYS19. Around 14:30 Applicate’s incident team finds that sensitive information owned by the tax agency has been downloaded by the attackers. The security managers from the tax agency and bailiff agency are contacted. 16:38 PM the unauthorized NUS user has a failed login attempt and around 20:00 PM intrusion attempts are detected from new IP addresses.

23rd March 2012

Starting this date the investigation proceeds with the Swedish National Police Agency and Activity Protection. Logica, IBM, Applicate/Infotorg and KPMG begin work with affected government agencies and provides them logfiles. Applicate/Infotorg begins modifying the infrastructure to prevent future attacks of this sort. Intrusions end in April 2012.

Cost

Applicate hired consultants for in total 2 000 000 SEK to work with the incident. Infotorg changed its routines for password management in its services, they changed the policy to require more complex passwords. To achieve this Infotorg hired consultants and existing staff had to work overtime. In total Infotorg has spent up to around 2 200 000 SEK to achieve this.

In addition to these costs management staff has spent time corresopnding circa 440 000 SEK. Key people in Bisnode have also had to spend time on controlling logging, following up credit investigations and troubleshooting etc. The costs for this is estimated to circa 275 000 SEK.

In total the claimed damage caused to the Bisnode group is estimated to be circa 4 915 000 SEK.

The intrusion in Applicate was reported by Axex AB, a security and risk management company. They are most likely the consultants that were hired for 2 000 000 SEK to gather evidence. There is therefor reason to believe that Axex has conducted surveillance on people living in Cambodia as part of the investigation.

Logica, National Special Event: Morgan (part 1)

Wednesday, May 1st, 2013

Logica discovered that their systems had been breached 6th March 2012. 16 days later they filed a report to the Swedish police. The extent of the breach was unknown and it was assumed at the beginning that all information handled by the company had leaked. It was confirmed pretty soon that the social security numbers of over 10 000 individuals with protected identities had been stolen from the mainframes.

This writing is split into multiple parts, links to following parts will be added when published in the future.

The investigation work was found to be outside the Security Police’s scope and RPS (national police) initiated the work. All affected staff in national police forces, the tax agency and bailiff agency received information about the incident. A big meeting was held 23rd March to organize the investigation, approximately 40 people were in the meeting. The work was divided into smaller groups where each company and governmental agency had at least one representative in each group.

The coming weeks a large portion of the involved staff had their hands full. The security service assisted the national police agencies. The incident was considered so serious that on 28th March the head police chief issued a national special event in accordance with Ordinance (1989:773) with instruction to the national police to coordinate the police tasks and cooperate with external governmental agencies.

The Swedish police did it’s investigation at a flat rate price of 920 kr/hour, same price as the police charges for covering sports events. The calculation below is only based on the work that RPS spent on “handling the incident and securing that the information used in the investigation is trustworthy” (sic).

RPS Activity protection: 1 273 599,00 kr
RPS Communications department: No data
RPS/RKP: 63 480,00 kr
RPS/PVS: 713 000,00 kr
RPS System owners: No data
SÄPO (Security Service): 2 300 000,00 kr
HK Management: 36 800,00 kr
PVS Management staff: No data
Remaining work (estimated): 326 792,00 kr
Total: 4 533 823,00 kr

“Virtually all communication between suspects has occurred or is occurring through the IRC channel #hack.se. In there people are relatively openly discussing hacking and “everybody” knows what is happening, is involved to some extent or have an overview of what is going on. (sic)”

Fishing in Ludvika

dirox_map

By analyzing logfiles from Logica and subsequent IP tracing it was found that multiple IP-addresses pointed to a relatively small geographical area in Ludvika, Sweden. There was therefor reason to suspect that one and the same person had used multiple wireless networks. Multiple queries done on Infotorg’s web interface could be connected to diROX, suspect “MG”, through internal reconnaissance.

On suspect MG’s cellphone forensics personnel found the Infotorg app installed, which should only be available for companies, organizations and governmental agencies that are Infotorg customers. When forensics personnel started the app the username “KURS104” was saved. MG’s cellphone also contained an installed portscanner app, which when started container “ftp.infotorg.se” prefilled in the host field.

dirox_phone

On an SD-card found in MG’s cellphone the forensics personnel found, in the path /u1/Ubuntu One/Linux/Hacking/, the programs reaver_v1.4 and wpstools, which can be used to break into WiFi networks. In the Keys folder they discovered folders named wep, wpa-captures, wpa-knackt and wpa-oknackt. In wpa-knackt they found text documents 54-E6-FC-BE-80-9A_Backe.txt and A0-21-B7-7A-3E-7E_LINNEA_Network.txt containing identification details and login credentials to WiFi networks that had been used to access Infotorg/Logica servers.

ubuntu_one_map_dirox

Much of the contents of the SD-card was also retrieved from an FTP account on Passagen.se and Ubuntu One, with nicknames being dirox and e-mail address [email protected] In a computer seized by the police from diROX they found browsing history for his ftp.passagen.se account, using password qw97p48z

Screenshots seized from diROX’s Ubuntu One cloud storage show somebody was signed into hacked Infotorg accounts at the same time as browsing social media sites like Facebook and Helgon while chatting on MSN and reading Gmail account luciddream:

infotorg_screen

Large amounts of files with usernames and passwords for Infotorg accounts were discovered in MG’s possession along with multiple files containing passwords to hacked WiFi accesspoints located around his address. On his passagen.se FTP account the investigators found large amounts of logfiles containing communication with tLt. On MG’s Ubuntu One account they found a large amount of datasets matching the data that had been downloaded from Logica mainframes. There were also traces of intrusion targeting Logica and Infotorg dated 2010, 2011 and 2012. Both connections to Logica mainframes and queries in Infotorg.

Hearings

15th April 2012
MG was heard in regards to being suspected of hacking alternatively assisting hacking between 25th February and 15th April 2012. MG is suspected of illegally accessing and searching in Logica hosted Infotorg registries.

MG is informed about his right to have a lawyer present but chooses to be heard alone. MG denies crime. He states that he has signed into Infotorg from his own or his girlfriends computer at a few times. At these times he has found some passwords on the Internet that other people have posted. MG states that he has used his own security number to login using these passwords. MG considers himself to be pretty good at handling computers. His girlfriends name is LB and owns an IBM laptop protected by the password phrase FITTJUV.

MG is asked if he really doesn’t want a lawyer present and after thinking for a while says that perhaps that would be a good idea. MG requests Björn H. The hearing is cancelled.

15th April 2012, 14:00 PM
Two police officers transported diROX from Borlänge to Stockholm. The trip took 2.5 hours and the three of them had a social conversation during the whole time. diROX was disappointed over his life and thought that he had let his parents and his girlfriend down. diROX asked what kind of punishment he would be facing for hacking and stated that his girlfriend’s innocense. He also said that he had found passwords on the Internet and tried if they worked. According to himself he had only queried information about himself. He added that “there are more people involved, not only him.”

17th April 2012, 14:10 PM

MG admits crime as soon as they are presented. He says that he has only been logged into Infotorg’s website. He states that he has Linux experience, not very good at networking and has no programming knowledge. Interrogators ask why he has been googling about Infotorg, MG replies that he hasn’t been looking for anything specific. MG says that he found login credentials on a Swedish forum that he forgot the name of. He claims to have tried around 5 accounts and that he doesn’t have anything on his computer after it’s been lost at reinstall done “the other day”.

MG says that he has been logged into Infotorg “maybe a week ago” and has only been looking up himself and his friends in the registry. MG says that he has been acting alone and doesn’t know if he has shared the information with anybody else.

Interrogators bring up his .bash_history file where he is greping a file named log.txt for the string Ludvika. Interrogators bring up that his girlfriend has stated in hearings that he can hack into wireless networks, that MG accesses access points in the area. He names his passwords being fittjuv and apa123 on his computers, apa123 being his most commonly used password.

16th May 2012, 09:00

MG is informed that the suspicions have been extended from 25th February 2012 – 15th April 2012 to January 2010 – 15th April 2012. MG says that he doesn’t think so and denies. When asked if he’s denying both Logica and Infotorg he responds that he possibly may have been illegally accessing Infotorg since 2010. Interrogators continue asking about the .bash_history file found on MG’s girlfriend’s computer which contains data about Infotorg. MG doesn’t know anything about it, except the name Infotorg. MG denies knowledge about a memory card containing a folder called Infotorg, which his girlfriend has said in a hearing belongs to him. He also denies using cloud services and the hearing is ended shortly after.

14th June 2012

Interrogator asks if MG has gotten the Infotorg accounts from somebody, MG responds “unfortunately no” and continues stating that he just finds them, but doesn’t want to say where. Interrogator asks if MG knows the IRC channel #hack.se, which he does and he has been there before but doesn’t know how long ago or what nickname he used. The nickname diROX sounds familiar to MG, but he says it is not his and he doesn’t know him. MG is asked about KS (suspect #2) and his IRC nickname used in #hack.se. The interrogator tells MG that KS is also detained as part of the investigation of the case.

The interrogators explain that they have found material from Infotorg and Logica on computers seized from KS. MG denies that KS has received such data from him. The interrogator says that KS has said that MG is diROX, MG denies and says that he doesn’t think that he has used that nickname but he has seen it. MG doesn’t know if it is his nickname or somebody else’s. The interrogator tells him that they have seen in his computers that MG is in fact diROX.

The interrogator continues listing nicknames from #hack.se which MG confirms he has seen and spoken to. The interrogator asks if MG recognizes the nickname Anakata. MG says that Anakata is Gottfrid from The Pirate Bay. Interrogator asks if he knows TiAMO, which he does from The Pirate Bay and #hack.se but they haven’t spoken.

The interrogator asks about what they talk about in #hack.se, and says that KS has said in a hearing that the latest topics have been the hacking of Logica and Infotorg. The interrogator explains that KS has named MG as connected to the attacks on the two named targets. MG denies that he is involved or that he knows anybody that is.

18th June 2012

Interrogators clafiry that MG is suspected of retrieving data from Logica mainframes and manipulating RACF. MG doesn’t understand. Interrogators ask about RACF and talk about traces they have found in MG’s possession. MG doesn’t know anything about RACF and denies retrieving info from the mainframes. MG doesn’t understand anything except that Logica has been breached.

Interrogators continue by asking if MG knows about Infotorg, which he does but he doesn’t have any ideas who’s running it. Interrogators ask if he knows what a mainframe is, MG explains that they are computers that can handle pretty much.

Interrogators clarify that MG is suspected of visiting Logica mainframes, manipulating RACF and done unauthorized queries in Infotorg. MG admits the Infotorg parts and knows that he isn’t allowed to do what he’s done using other peoples’ accounts.

Interrogators name the third suspicion, that MG has illegally broken into and used WiFi networks of his neighbors, which MG admits he has. Interrogators explain that MG’s IP address has been found in Logica mainframe logs along with his neighbors’ IP addresses.

After the interrogators continously state that suspect KS has named MG as diROX, that the nickname is found on MG’s computers and on his neighbors’ network activity he says that maybe he has used that nickname sometimes. MG admits that he has received several hundred Infotorg accounts from somebody on IRC but doesn’t want to say who gave them to him, although he knows who gave it to him.

MG denies that he has downloaded any data from any intrusion except saved queries he’s done on his friends in Infotorg. The interrogator asks if those friends of his can have been Hells Angels members, whereas MG responds “maybe”.

The interrogator says that he finds it strange that MG is admitting some things but not others and asks why that is. MG replies that he hasn’t done some of the things. The interrogator continues stating that they have data proving otherwise, which MG finds strange and doesn’t believe. When asked if MG thinks they are bluffing, he responds yes. The interrogators explain that there is more than they have told them, such as logs from CSN and IRC logs from #hack.se.

“We suspect or we strongly believe that you are not alone in this, we think that there are many more involved. The problem is that we can’t prove it. We only have what we have from you, so to speak.”

After chatting about his WiFi hacking activities the interrogators start pressuring him to reveal the identity of the person that supposedly gave the Infotorg access to MG, stating that KS has said that MG is diROX and that diROX is somebody involved in these matters. MG doesn’t know and the interrogators continue by verifying that MG admits two out of three charges. MG states that he knows somebody who has hacked the Logica mainframe on which Infotorg is run but doesn’t know if they are alone of how it happened.

“You don’t know. Have you been like a little hangaround, maybe you haven’t been allowed to be in the gang and haven’t really…?”

MG says that he thinks so. When asked he replies that he didn’t give anything in return for the data that he has received from an unnamed somebody or somebodies. He doesn’t know if it’s a criminal gang that has breached the mainframes or a loner.

JP: No… But, as long as you don’t want to tell it’s a little… then there are problems. We can’t… Because we know a lot of things that we can’t or want to tell, and if you don’t want to tell then we don’t get anywhere with this. Is there anything you would like to tell us that you think is important for us, without revealing too much?
MG: I don’t know, I can’t think of anything.
JP: It’s very sad when you can’t… that you can’t or don’t want to tell. That’s how it is. It would be better for yourself to say and…
MG: That I… (inaudible)
JP: But why so to speak?
MG: No, but then I will have problems later.
JP: Oh. So you’re afraid that they will retaliate?
MG: Exactly.
JP: OK. But how do you think it’s going to look later when you… when you’re released and this goes to court and we put up all the evidence? Then you will start to think anyway about what you said or why you were so careless to leave chat…
MG: Because of this chat?
JP: No, but why… We have found your chatlogs.
MG: OK.
JP: You don’t think that these people that you are afraid of will start to consider anyhow?
Lawyer: That is not an appropriate question to ask!
JP: Do you want to ask a question or what are you saying?
Lawyer: No, but I think it’s inappropriate that you formulate your question that way and put him in a corner saying he’s risking retaliation anyway. The court says that you can’t force somebody to say something that they don’t want to say if they are afraid of retaliation. Your question formulated that way (inaudible) and I don’t think that is an appropriate question.
Fhl: Yes, it is noted. But, we can ask that question anyway, I think. Do you have any comments on it then?
MG: No…

6th November 2012

MG voluntarily chooses not to have any legal defense at this hearing.

MG is asked what nicknames he’s using on IRC, he responds that he has difficulties with his memory sometimes. MG remembers that he used many different nicknames, among others diROX and Matte76.

Interrogators ask about Gottfrid Svartholm Warg. MG replies that he knows GSW, that they have met personally but doesn’t remember how long time ago. MG says that GSW has said on IRC that he was in Cambodia, that he left after The Pirate Bay conviction. MG says that he doesn’t remember GSW’s nickname that he used when they spoke on IRC.

Interrogators ask what computer knowledge GSW has. MG replies that GSW is very smart and knowing. MG considers himself good at computers but states that GSW beats him in computer science.

MG is informed about IRC conversation logs. MG is shown chat traffic retrieved from diROX’s Passagen.se FTP account between the aliases diROX and tLt between 2012-03-10 16:54-16:56 and 2012-03-25 21:11-21:15 and is asked to comment this log. MG spontaneously replies that tLt is Gottfrid Svartholm Warg. He remembers it clearly. He also says that the 2nd conversation where tLt talks about Infotorg accounts that it proves that MG has always been right in what he has been trying to explain: that he himself doesn’t have anything to do with these accounts. MG states that he has only tested to login on a few of those accounts but that other people have breached the systems. MG doesn’t want to name those individuals.

Anakata translated hearings

Tuesday, April 30th, 2013

Pasted below is the translated hearings with Anakata regarding the Logica hacking case. The hearings have been transcribed by the Swedish government based on audio recordings of the hearings and then OCRed and translated (by me) to English.

2012 09 13
Interrogator: You are previously served on suspicion of several hacking cases, that you have prepared access to Logica’s servers.
G: Oh well…
Interrogator: What is your approach to the suspicion?
G: I deny crime.
Interrogator: This investigation, it has gone on since this spring and we have have quite a lot of material that we’ve been looking at. There are clear indications in this material that shows that you would be involved. Do you know of this breach of Logica?
G: No comments!
Interrogator: Do you have any special reasons to why you don’t want to comment?
G: No comments!
Interrogator: Do you know MG?
G: No comments!
Interrogator: Do you know KS?
G: No comments!
Interrogator: Does the lawyer have any questions?
Lawyer: I don’t have a question, no.
Interrogator: No. Then we finish the hearing here. Hearing finished at 13:07.

2012 10 11
Present during the hearing is lawyer Ola Salomonson (OS) interrigator Olle Wahlstrom (OW), co-interrigator John Steenmark (JS). Suspect is Gottfrid Svartholm Warg (GSW)

OW: Yes, since our last hearing… is there anything that you have thought of that you want to… (The interrigator doesn’t finish his question before the suspect replies)
G: No comments.
OW: This breach of Logica, do you have anything to say about that?
G: No comments.
OW: And if you know MG.
G: No comments.
OW: Or… CS?
G: No comments.
OW: Does the lawyer have any questions?
OS: No.
OW: The time is 09:57 and the hearing is finished.

2013 03 08
(Deputy interrogators, Joakim Persson and John Steenrnark from the County Criminal Police)

OW: I begin by asking, this apartment where you lived when you were arrested, how long had you lived there?
G: No comments.
OW: When you were in Cambodia did you have any job there or were you running any businesses?
G: Answer yes.
OW: Can you describe further what you worked with?
G: Yes… I freelanced as a consultant and also for nearly two years had an outsourcing company involved in web development.
OW: What was the name of that company?
G: No comments… yes that I can actually answer, it was called Arocore and later Finesy.
OW: You consulted for someone too you said?
G: I freelanced.
OW: At any particular company?
G: Freelanced.
OW: Did you have any income?
G: Yes
OW: Around how much?
G: No comments.
OW: A company called Mysec, have you worked any for them?
G: No comments.
OW: I guess you do not comment if you got any payment from them either?
G: No comment.
OW: In your apartment, we found two computers, a desktop and a MacBook. Were you using them?
G: Not personally, no, they are servers.
JP: Both?
G: Yes, it is quite clear on the laptop, if you doubt it the keyboard was broken. I might add that I actually think Steenmark here can confirm that I always had servers at home.
OW: Yes. If we take this desktop first. What is it used for then? In addition to being a server. What have you done with it?
G: It has been used as a server.
OW: For what purpose?
G: It has been used as a server.
OW: And the MacBook then?
G: It has been used as a server.
JP: What did you have for server software for it?
GS: I have already answered that.
JP: And the answer is?
GS: Yes… ssh, PowerShell Server, Remote Desktop, etc.
JP: On the MacBook?
GS: Yes
JP: What is the OS on the MacBook?
GS: There are two OS installed OS X and Windows 7
OW: And which one have you used?
GS: Both, or well yes I, both of them, I have used at various times.
OW: How long ago was it you used Mac part?
GS: No idea
OW: In the desktop computer, where there was a hard drive that was a bit loose, which had two partitions. My question is, the other partition what did you use it for?
GS: No idea, don’t remember.
JP: Do you remember what is located on the first partitions?
GS: How should I remember that? There are quite many months or years since it was partitioned.
JP: But the data on it is not that old is it?
GS: Yeah, I say what I said previously, it stood as a server. I do not know exactly what was on it. And it’s pretty ridiculous that you have to remember specific things like how my disks are partitioned so far into the future.
OW: The second hard drive which had a Linux OS installed, where you had six partitions. What are the last two partitions there, what do they contain, do you remember that?
GS: Do not remember.
OW: If we take your MacBook then, there was the Windows and Mac. You say you have used both the OS there.
GS: Both OS have been used on the computer and I want to emphasize that it is not me personally that has been using them recently.
OW: No, but have both been used?
GS: Yes, that sounds reasonable.
OW: In Windows, there are many accounts, do you remember who has had accounts on the computer?
GS: Yeah, I know approximately who they are, but…
OW: The account “A” for example?
GS: As I said I recall who they might be and I… for fear for my own life, I don’t choose… I don’t choose who they are.
OW: Are there people who have had physical access to your computers?
GS: In a couple of cases, yes.
OW: Over what period of time then?
GS: Some accounts have been used by multiple people.
OW: Over what period of time have these people had access to the computer physically?
GS: How would I be able to remember that?
OW: I don’t know.
GS: No exactly.
OW: But is it like a day, a week, a month or a year?
GS: How would I be able to remember that? How did you think that… I don’t write a diary.
OW: Yes. You have already talked about how others could access your computers remotely.
GS: Yes.
OW: Who could do that?
GS: I refer to my previous answer.
JP: And how has it been possible to remote access them?
GS: PowerShell Server, Remote Desktop, both installed and active.
OW: What computer are you talking about?
GS: I’m assuming that we are talking about the laptop…
OW: Mm… Remote desktop…
GS: …yes and PowerShell server.
OW: How often has someone connected via Remote Desktop to it?
GS: Don’t know.
OW: Is it often?
GS: Don’t know.
OW: Do they connect via Remote Desktop?
GS: Answer yes. I’m assuming so anyway, I haven’t kept track.
OW: I looked at your log files on the Windows computer, there is not a single connection via Remote Desktop.
GS: Yes… That said, I refer to my previous answers. Remember that PowerShell server is used also.
OW: But you said the Remote Desktop as an example.
GS: I said it as an example yes.
OW: SSH you said too
GS: Yes and PowerShell Server
OW: These people then, who have accessed it. Do you want to say something about them?
GS: Answer no.
OW: Is there any reason you do not want to say…..?
GS: Yes, because I fear for my own life.
OW: These people that you are afraid of, is it people you’ve met physically, who have visited you?
GS: Yes.
JP: Why have they visited you?
GS: No comments.
OW: In Cambodia, which ISP did you have?
GS: Don’t remember.
OW: Cogetel, could that be it?
GS: Don’t remember.
OW: Do you use any VPS or cloud service?
GS: Don’t remember.
OW: Don’t remember or don’t want to say?
GS: Don’t want to say.
OW: On your Windows partition here on the Mac, you can see that your clock is reset quite frequently, manually. Why is that?
GS: Because the backup battery in the computer is broken.
OW: To clarify. What happens then?
GS: To clarify. What happens then? Well, then the clock resets.
OW: To which date?
GS: … or alternatively, alternatively displays wrong.
OW: To which date is it reset?
GS: Good question. It depends on, eh, if when the battery is like half… half… (unhearable)
OW: But most common is?
GS: If it’s entirely nulled so, no I don’t know what that is.
OW: Can it be 1st January 2001?
GS: That sounds like a reasonable epoch date. I can’t comment any more.
OW: When you… adjusted the time then, when it’s wrong… How do you usually do then? Do you set the correct date or how?
GS: I don’t remember.
OW: Do you sync against a server?
GS: Don’t remember.
OW: On your Windows partition, there is a file named t001a, 16 Gb size. Do you recognize that?
GS: Don’t remember.
OW: If we say that it’s a TrueCrypt container
GS: Don’t know.
OW: Nothing you know anything about?
GS: No
OW: Have you ever used it?
GS: I just said that I don’t know about it.
OW: You don’t know about it at all?
GS: No
OW: But it’s still created already 2010 I think it is.
GS: I just said that the time in the computer is wrong.
OW: Yes, not since 2010 I hope.
GS: Bad quality on that fucking… fucking Mac
OW: Mac?
JP: It was almost new 2010
OW: PuTTY do you use it?
GS: No comments.
OW: MG do you know him?
GS: No comments.
OW: Do not want to comment or are you scared or do not know, can you answer that?
GS: No comments.
OW: diROX…?
GS: No Comments
OW: We can see, or we know from before that you had e-mail contact with MG already in 2006.
GS: Now you don’t stick to the time…
OW: Yes, but the question is if you know him.
GS: Yes, I leave no comment on it.
OW: In your computer, there are a number of different log files, the connections you have done to Logica… or that’s in your computer against Logica systems, what were these log files from?
GS: Probably from those who used the computer. Either locally or, more likely remote.
OW: Have you seen these log files?
GS: Answer no. On which of the computers was that?
OW: It’s on the MacBook.
JP: Windows partition
OW: Yes, on your computers, there is a fairly large amount of data coming from Logica, now we’re talking two computers. How did it get there?
GS: Referfing to previous answers.
JP: Which are?
GS: Referring to the previous answer.
OW: OK. I told you t001a was a TrueCrypt container, do you use the program TrueCrypt?
GS: No comment.
OW: Do you know if you autostart something with TrueCrypt?
GS: What?
OW: That it mounts anything when you start the computer?
GS: (Inaudible mumbling)
OW: I think we’ll do some questions, Joakim.
JP: Mm, exactly. As you may know MG is also served suspicion of the breach of Logica. And in his material we have found large amounts of chat logs… and now the question is: what username do you usually use on…..?
GS: Yeah, mine is pretty well known, Anakata
JP: Hmmm, do you use other one?
GS: Answer no.
JP: No?
GS: Not normally.
JP: Not normally. tLt. (Rest lost in transcription, MG chatting with tLt in logs.)
GS: I can not answer that.
JP: You can not answer that. In this chat, there’s quite a lot of evidence that a person who is called tLt would be involved in this breach of Logica. There are also indications that this person would be Gottfrid Svartholm Warg.
GS: So, I would like to point out that IRC does not have any form of registration of nicknames or something. It doesn’t require any passwords to…
JP: No.
GS: …
JP: But the nick Anakata is pretty well known.
GS: Yes
JP: Mm. For example diROX asks TiAMO where is Anakata? So he responds Cambodia, that’s correct isn’t it?
GS: That sounds reasonable.
JP: Later diROX writes, talking to tLt. tLt says he’s been very focused on z/OS. Do you know what that is?
GS: No I don’t.
JP: diROX then says that, yes, asks a bit and tLt says that maybe they should speak encryptedly and invites him to SSL mIRC on planet.wideopenbsd.org. Do you know that server?
GS: No Comments
JP: That’s a lot of material. tLt writes for example this also: “hello again, are you doing? right now I’m snorting amphetamine and swear a bit over the electricity, hope it doesn’t disappear again for 18 hours.” Could it be, perhaps that power is lost in Phnom Penh?
GS: I’ve been through lengthy power outages in Sweden too, so it…
JP: 18 hours is maybe a little…
GS: Locally in smaller areas I’ve experienced 36 hour outages.
JP: He also says, among other things… tLt, that he has an SSH key that he uses to backdoor an admin account
GS: Oh well
JP: tLt also writes: so download, and then he writes again that hoho they are so fucking owned, their RACF database tank/etc/passwd. Nothing you recognize?
GS: No
JP: Do you know what a RACF is?
GS: No Comments
JP: And you did not know MG?
GS: I said that I do not comment that.
JP: If we say like this then, in your computer we found a tool called HexMvsdump. Is it something you know anything about?
GS: No Comments
JP: Anyway here diROX writes asking, I need to access the police multi question and tLt replies that, have to crack the RACF database and it’s encrypted with DES encrypted with the password key and then tLt writes, I’m changing the password for a cop. Lower down he writes later, did you crack the db. Yes, says diROX. Looked through it briefly. Have you also gotten my HexMvsdump tool? No I don’t think so, tLt sends a link to Pastebin where it is, diROX replies now so (rest lost in OCR/transcription)
GS: No comments.
JP: Another excerpt here. tLt asking if diROX wants a pair of Infotorg accounts. Approximately 70000 and diROX asks if he has any police accounts. This is nothing you know anything about either?
JP: tLt also writes, I also have complete dumps of amongst others the bailiff registry, only that is 12 Gb haha, got hold of the table of contents, it’s a little easier to find fun things then. Do you know anything about this?
GS: I… just want to comment that bailiff records are public documents.
JP: In your computer we have found the records, which are 10.6 gig. It matches pretty well with this number. Do you have any comments about that?
GS: Nope. Can you show me the notorious bailiff register, what does it contain?
JP: Yes, I didn’t bring 12 Gb printed with me and so but…
GS: You did in the Pirate Bay trial.
JP: Yes, but you know, times change, unfortunately.
OW: Before the trial, you will see the material we present, of course.
JP: diROX also says he wants their records for the tax agency, tLt asks, don’t you want some money from the bailiff too. Yes says diROX, have 1700000 SEK in debt, tLt answers, yes if you have someone to put it on then maybe we can…
JP: Do you know of others who hang in #hack.se?
GS: No comments.
JP: In conjunction with this list of protected security number being put on Pastebin, diROX writes that the dump was stolen over a year ago, the one with the protected. tLt answes, yes. diROX responds, it didn’t even include names. tLt writes fuck what a lot of things, and then links to some files. tLt also writes that SPAR is not in the Infotorg/Sema/Logica anymore, however, makes KFMs register REX, you saw that I stole the entire thing.
OW: This specific dump, is it something that was on Pastebin that you recognize? That we talked about, with protected
GS: I’ve seen it on pastebin, yes.
OW: Have you had part of it yourself?
GS: Like I said I’ve seen it on… and it was as said only a list of social security numbers, no secret information in itself… More accurate way of saying it is that it’s the social security numbers for people with protected identities, not security numbers that are in itself protected.
OW: No, that’s right.
GS: I would personally be very surprised if it was on the Internet connected systems over. I assume that it is not…. intrusion has occurred…
JP: diROX also writes that, do you like Cambodia by the way? Mm, says tLt. diROX, found the border between Cambodia and Thailand to be pretty shitty. tLt, yes.
GS: And here I would like to comment that there is more than one Swedish person in Cambodia.
JP: Mm
GS: Even in time of writing, time of speaking
JP: tLt also pasted into a post, including where it says, port 443 is listening waiting for the APT callback, alert advancing port 443 threatning accepted presistent TCP connection from 93.1.86.1.70.54, port number, then commenting advanced printer typewriter fashion. Do you recognize this extract?
GS: No Comments
JP: In your computer, there is a script… exact same excerpt at least three times… And then tLt writes, well look at that. diROX asks, what does this mean now? tLt responds, yes, let get up some of that root. tLt, diROX writes and then, can you access everything now? There’s more; these are just a few excerpts contained in this material. Is that enough?
OW: Yeah, the last thing here, among others…. the script we talked about, there’s a lot of log files in your encrypted container, where this script is used. Do you know of it?
GS: Answer no.
OW: On your computer, in this encrypted container there is a file called prim.gz containing Logica RACF database that we talked about in the chat.
GS: I refer to the previous answer.
JP: Should we explain to the lawyer what RACF is?
ML: Yes, please.
JP: RACF database is a user permission database that Logica has in their mainframe systems, with usernames, details of passwords, and in cases where they have Infotorg accounts, also affiliation, organizational membership, and services or yes, company names and such things.
ML: Okay, thank you.
OW: When Logica themselves went through this intrusion, went through their system, they found a number of files that were uploaded to their system. Backdoors, various program files. They came from several different IP addresses. Common to these, many of them, is that they are on your computer, inside your encrypted container.
GS: Yes, I refer to previous answers.
OW: Eg a program called kuku, do you know that?
GS: I refer to the previous answer.
OW: During these breach so, he or they that did it. They compressed a whole lot of Logica’s material into tgz-files and then downloaded them with FTP. Even a portion of these compressed files are on your computer in…
GS: …referring to previous answers
OW: We spoke about a SSH key… in the chat, even that is in the encrypted container.
GS: Referring to my previous answer.
OW: In the computer there are also four files with usernames and passwords, it’s over 100 000. Anything you recognize?
GS: Referring to previous answers.
ML: Which computer?
OW: The MacBook. In your computer there is a file called just “out”, it includes a summary of data, raw data from the tax agency.
JP: I have it with me if you want to show it.
OW: Yes, no. This summary is about your security number, you.
GS: Partially I’m referring to previous answers and partially I also want to comment that I am somewhat famous. So there are a lot of reasons why people would look up my information… me.
OW: It’s not queries. They have withdrewn…
GS: Yes but queries… (interrupting eachother)
GS: You understand what I mean…
OW: So it is not you who has done this?
GS: No
OW: There is one about Fredrik Neij too, the same.
GS: I refer to the same thing, he is famous too. Famous for having large debts, if it’s the bailiff it’s about then I would like to add that it seems likely.
JP: These are datasets… that are a little, not only at the tax agency, but several different dataset that the data is gathered from, it’s not only tax agency or or bailiff data.
GS: What data is it then?
JP: Datasets that you have… that are on your computer.
GS: Yes it is good that people have decided that I am guilty already from the start. Thanks for that.
JP: I’m sorry, that’s not what I meant. I meant…
GS: …that’s exactly what you meant
JP: I just meant that your computer contains these datasets that the summary is based on.
GS: Yes queries, summary, whatever… I’m still wondering what kind of data it is.
JP: Shall we show it in that case?
OW: Yes, you can do that.
JP: Then you can see for yourself.
JP: The file… name is out.txt
GS: Yes, this is easy to understand?
OW: It’s various data about you.
GS: But where is it from? Half of it is entirely impossible to understand. Then there are some tips I can guess are cash amounts and… some obvious dates… so congratulations, somebody has done a credit check on me.
JP: If it now is a credit check…
GS: I’m guessing that it is.
JP: Considering that the dataset names are also here, D044, and the prefix D044… so it is very unlikely that it would be a credit check.
GS: Equivalent information at least.
OW: A last question about Logica here. We spoke about these social security numbers, the list with the security numbers that was on Pastebin. In your computer you have, in two places, that list.
GS: I’m referring to previous answers.
OW: There is an Excel spreadsheet called infotorgusers. It contains around 3 000 names, people and their permissions in Infotog. The main portion of these people are police employees. Do you know of this list?
GS: Answer no
OW: Does the lawyer have any questions regarding what we have talked about now?
ML: I don’t have any questions about what we talked about now.
OW: The time is 10:40 and we finish the hearing regarding Logica.

TPB not the reason

Friday, March 22nd, 2013

The Swedish Ministry of Justice issued a statement on the 27th July, 2012, requesting assistance from Cambodia. They wanted anakata arrested. Bertil Olofsson, Head of the International Section of the National Police, and Tom Abrahamsson, Head of Adm and Consular Matters of the Swedish Embassy in Phnom Penh, was quoted by Sveriges Television saying that Gottfrid had been arrested to be brought home to serve his TPB prison sentence.

In reality the request was made in relation to “an ongoing preliminary investigation” [sic]. It turns out it’s not worth pulling people home from exotic countries over petty culture sharing. Admittedly it was a very effective smokescreen. Enjoy Lao, TiAMO :-))

Here’s the letter:

Stockholm, 27 July 2012

To the Competent Judicial Authority
Phnom Penh
The Kingdom of Cambodia

URGENT AND CONFIDENTIAL MATTER

Request for legal assistance in a criminal matter

The Swedish Ministry of Justice presents its compliments to the Competent Judicial Authority in the Kingdom of Cambodia and has the honour to forward a letter of request for legal assistance in a criminal matter.

The request is issued by the International Department of the Prosecution Authority in Stockholm, Sweden and is made in relation to an ongoing preliminary investigation.

The Ministry of Justice kindly asks for your assistance to arrange for the requested measure to be execute.

The Ministry of Justice avails itself of this opportunity to renew to the Competent Judicial Authority in the Kingdom of Cambodia the assurances of its highest consideration.

Harriet Birkeland
Desk Officer

Inside the anakata kidnappers’ lair

Wednesday, February 20th, 2013

This write-up continues the story of anakata’s arrest in Cambodia, previously “Sweden kidnapped my friend” (mirrored here). This piece is based on a public document, dnr UF2012/50964/UD/KC, retrieved from the Swedish Ministry for Foreign Affairs. The document is available in its full form here. According to the Swedish ministry one piece of information has been classified and is therefore missing from the PDF. The document includes the e-mail correspondence between the Swedish Embassy in Cambodia and the Swedish Ministry for Foreign Affairs that occurred when Gottfrid Svartholm Warg was arrested under mysterious circumstances late August, 2012. A translated summary has been included at the end of this article.

It is obvious from the document that several people hired by the Swedish Embassy were made uncomfortable and worried for their safety after being threatened and harassed as a direct result by the previous written story. I would therefore like to begin by saying that there is no way I will ever support such attacks. I highly value and respect everybody that takes the time to follow and try to involve themselves in this outrageous story, but sending hate mail is not the way to go. There are many of us that feel frustrated and angry but this is not the work of single individuals. These events are symptoms of a broken society. We can not fix broken societies by attacking individuals, even if they may be hired to do things that are very sensitive to us. Please do not harass anybody through hate mail  it’s not a very effective way to start debate. Thank you for remaining calm and maintaining hardline Kopimi.

”An interesting detail is that the same Interior Minister [Sar Kheng] visits the Ministry for Foreign Affairs in Sweden this Sunday.”
– Helena Wahlström, Swedish Ministry for Foreign Affairs secretary

Perhaps food for conspiracy thoughts, but the circumstances surrounding Gottfrid’s arrest on Cambodian soil are, to say the least, very intriguing. The public documents of e-mail communication between officials related to the case might not flabbergast those that remember how the US threatened Sweden with trade sanctions given that they did not (illegally) shut down The Pirate Bay’s hosting provider PRQ. The newly acquired information reveals some previously missing information:

  • 30 August, 2012: Gottfrid is arrested. US Trade Representative Ron Kirk lands in Phnom Penh. Gottfrid is initially placed in the Ministry of Interior’s Counter-Terrorism department.
  • 31 August, 2012: Gottfrid’s Cambodian visa expires. Gottfrid is visited by ambassador Tom Abrahamsson.
  • 5 September 2012: I personally visit Gottfrid at the Counter-Terrorism department. Swedish ambassador signs deal granting Cambodia $59.4 mln USD to Cambodia to strengthen democracy.
    Edit by Kristina Svartholm
  • 6 September 2012: Gottfrid is moved from the Ministry of Interior and disappears. Gottfrid’s last location, the Ministry of Interior, says that he has been transported to the embassy. The Swedish Ministry for Foreign Affairs denies to his mother over the phone that he is held in the embassy.
  • 7 September 2012: Cambodian Minister of Interior, Sar Kheng, signs the deportation order. Tom Abrahamsson travels from Phnom Penh to Sihanoukville. I personally visit the embassy which denies that Gottfrid has ever been there.
  • 9 September 2012: Sar Kheng visits the Ministry for Foreign Affairs in Stockholm.
  • 10 September 2012: Gottfrid re-appears in a Ministry of Interior holding cell in front of the airport and is later escorted by Swedish police agents to Stockholm through Bangkok.

The document proves what has previously been stated in the first article: anakata was initially held at the Cambodian Ministry of Interior’s Counter-Terrorism department, it was known that he had no Cambodian defense despite his right to fight in court, the Swedish embassy was visited first by me alone and later by me along with a lawyer, the embassy denied knowing where Gottfrid was being held, the reason why I went to the embassy was because Gottfrid did not have a legal representative and the Cambodian authorities had told us that he was being held at the embassy.

”The connection [between Gottfrid’s arrest and the $59.4 mln USD] is ridicilously far-fetched.”
– Anders Jörle, Swedish Ministry for Foreign Affairs spokesperson

The document ends with conclusions about how hateful and misinformative we are. On 12th September, 2012, Teo Zetterman tweeted using the Twitter account @SweMFA, belonging to the Swedish Ministry for Foreign Affairs. @mirkoschaefer asked for a comment on the first article that I wrote on this subject and received in response: “No, that is a work of fiction.” Those were the official words said by the Ministry for Foreign Affairs after they had received defensive e-mails from the ambassadors. I would love to hear from the Ministry about what exact parts were fictional. The public documents covering their e-mail correspondence sure syncs pretty well with what was previously said.

The reaction that the initial article sparked in these internal governmental cliques were rather expected. Logically the embassy would immediately defend itself and claim that everything was handled properly. Not because they had done something particular but because that’s the information they were provided, as it now turns out, from the agents working for the Swedish Security Service. As soon as the embassy was made aware of our interest through my presence at their office the first suggestion was that they would start talking through other mediums than e-mail. Why? Because e-mail is automatically logged and goes public after a while. Any suggestion to communicate over other channels is a giant threat to democratic transparency. Journalistic interest was immediately considered harmful and they reacted thereafter.

Now that the e-mail correspondence has gone public it is much easier to trace the faults in this circus. The embassy trusted that the agents working for the Swedish Security Service told the truth when they said that Gottfrid had been informed about his rights to legal defense in Cambodia. In the e-mails the embassy wrote saying that the Swedish agents claimed to have visited Gottfrid on a daily basis. According to himself Gottfrid was visited only once by the ambassador on the day of his arrest. He is unaware of being visited daily, which one might expect somebody who has been arrested and informed about his rights would be quite certain of.

”Cambodian and Swedish authorities blurred the lines between deportation and extradition to limit Svartholm Warg’s legal options.”
– Sok Sam Oeun, Cambodian Defenders Project

The Swedish embassy is obviously the source for the information that was later echoed officially by the Swedish Ministry for Foreign Affairs calling the previous piece “a work of fiction”. And instead of receiving responses saying “hey, maybe we should just let the kid with the attorney sent by that other kid’s mother through” they immediately turn into victims sending sympathies and making sure that everybody understands that everything has been handled correctly. Not because they prove it, or prove how the opposite side is lying, but because they were told so by agents working for the Swedish Security Service. The embassy wants to make it seem like the previous article was some sort of hate campaign trying to defame its employees personally, when what was said can now partially be found in these public documents. Previously they concluded my presence, mission and reasons. Gottfrid did not have a lawyer, that’s why I brought one. We heard that he was in the embassy and when we asked them they had no idea. They were unwilling to co-operate in finding one of their own citizens. With the documents from behind the scenes secured it appears that they were matter of fact unwilling to co-operate in going against the human rights violations played out by the Swedish Security Service.

I guess it’s time to find out exactly how dangerous it is to be right when the government is wrong.

Edit by Kristina Svartholm:
At 6 September I was told by Niklas that the Cambodian authorities once again said that Gottfrid had been moved to the embassy. This was denied (not confirmed – correction!) by HW to me over the phone. HW couldn’t tell me exactly where he was, however.

At 7 September I was really worried about Gottfrid. This was the third day that he was gone. Where was he??? Thus, in the morning I requested that someone from the embassy should find him and visit him. The answer from HW was that this was impossible. They had visited him once, a week before that, and this was enough, the embassy didn’t have time to do it again that same day. At this point my voice became loud; maybe I also cried on the phone.

Later the same day I was told by HW that they had visited Gottfrid and that he was ok. Today I can read in the documents that his visitor was from the Swedish police. According to the mail from HW this police man had met Gottfrid “every day”.

Why couldn’t the Ministry of Foreign Affairs tell me about this earlier???
So much worry, so much anxiety.
Was it really necessary to treat us like this?

 

UF2012/50964/UD/KC translated summary

Timestamps are specified as retrieved from the original Swedish document. Please note that the Swedish government has inconsistently excluded timestamps for unknown reasons. It is unknown if any additional modifications have been made by the government.

30 August 2012 10:07
Tom Abrahamsson (TA), Head of Adm and Consular Matters of the Swedish Embassy, Phnom Penh, Cambodia, sends a high priority e-mail to the Swedish Ministry for Foreign Affairs informing that a Swedish citizen, Gottfrid Svartholm Warg (GSW), has been arrested in Phnom Penh due to an international warrant.

30 August 2012 10:43
TA sends an e-mail asking: “Who contacts the mother? Who will keep in touch with the lawyer in Sweden?”.

30 August 2012 10:43
Helena Wahlström (HW), Department for Consular Affairs and Civil Law of Swedish Ministry for Foreign Affairs, announces that “this man has landed on my desk”.

31st August 2012 (timestamp removed)
HW writes that she hopes that the embassy will provide a confirmed reason for the arrest during the day. It is unconfirmed if the arrest is due to an international arrest warrant. Future questions about extradition treaties are further referred to the BIRS department of the Swedish Ministry of Justice.

31st August 2012 (timestamp removed)
HW writes that she has just hung up the phone with consular responsible TA who has just visited GSW. GSW is only replying with yes or no to questions and replied yes when asked if his mother should be informed. GSW is said to be at the Cambodian Ministry of Interior Counter-Terrorist department. HW speculates that the location might be due to lack of space in other places and that GSW might eventually be transferred to some sort of migration jail the coming week. It is unknown how the extradition process will occur, and if it even will.

31 August 2012 10:25
HW e-mails that she understands that GSW “is not so interested” in keeping contact with the embassy. She quotes GSW’s mother, Kristina Svartholm (KS), asking about the conditions that GSW is held in, whether he has food or not and if he is able to call the embassy. It is still unconfirmed that the arrest has happened due to an international arrest warrant.

4 September 2012 11:01
Camilla Åkesson Lindblom (unknown), e-mails HW saying that she has been called up by Monique Wadsted asking for information about GSW.

4 September 2012 (timestamp removed)
TA writes that there have been many questions from Swedish and international (mostly Cambodian) media. It is still uncertain what the following step will be in the eventual extradition process. TA also asks if anything can be said about legal defense for GSW. TA asks if GSW has been offered defense or if it has been solved privately.

6 September 2012 11:35
TA writes that GSW has not been moved out of the country. Supposedly the Cambodian government will decide today. When the decision is made it will take the Cambodian government 2-3 days to execute the extradition.

7 September 2012 06:49
Anne Höglund (AH) writes that she has been visited by GSW’s friend Niklas who brought a lawyer. “They had also been told that GSW would be here, which I of course strongly denied and referred them to Cambodian authorities”. AH also writes that she thinks that it is wise to keep in touch through mediums other than e-mail.

7 September 2012 11:44
HW writes that replies and referrals should be given by another ministry. KS has called saying that she heard from Cambodia that GSW has been moved to the embassy. KS also expressed concerns that GSW had been moved and dumped in a third country. HW continues saying that KS also told the Swedish Ministry for Foreign Affairs that GSW had not been provided a lawyer. “I have informed and resonated multiple times about the consular mission and what we can and can not do.”

7 September 2012 (timestamp removed)
HW writes that KS is calling and is very worried because the previously mentioned friend and lawyer is being told that GSW is held in the embassy. HW asks if it is possible to figure out where GSW is now being held.

7 September 2012 (timestamp removed)
HW writes that she has spoken to AH who was just visited by the Swedish police agents that will escort GSW to Sweden. The agents that picked up GSW’s temporary passport said that they had visited GSW “every day, last time this morning local time”. Their evaluation is that GSW is feeling very good despite the circumstances. AH does not know exactly where GSW is being held. The extradition order has now been signed by the Interior Minister [Sar Kheng]. The escorted extradition will occur on Monday the 10th September. “This can of course not be shared with external parties.” HW continues by writing that “an interesting detail” is that the same Interior Minister visits the Ministry for Foreign Affairs in Sweden “this Sunday”. She says that she will call “ASO” because “there might be questions”. The embassy has been visited by “a friend of GSW + a local lawyer” since Swedish ministries have continually stated that GSW is being held at the embassy, which was denied by AH. “Furthermore at the embassy it was insinuated that the embassy doesn’t comply with its consular missions etc. KS is also expressing this to me daily.”

7 September 2012 (timestamp removed)
HW writes that Swedish previous lawyer in Sweden, Ola Salomonsson (OS), has called asking if GSW may contact him; HW’s reply being that it will be discussed with the embassy but that it is a question for Cambodian authorities and that it’s uncertain whether the response can reach him before the weekend. OS also said that he had contacted a lawyer in Cambodia [Sok Sam Oeun].

10 September 2012 06:48
TA writes that GSW will be departing from Cambodia around 8 local time.

10 September 2012 07:21
TA writes that they are trying to figure out if OS can call GSW. “OS doesn’t know that GSW is leaving for Sweden tonight.”

10 September 2012 08:20
TA responds that Cambodian authorities gave permission to contact GSW. TA says that the embassy will let OS through because “KS has been worried” (sic).

10 September 2012 (timestamp removed)
HW writes that OS has been informed and will attempt to establish contact with GSW.

10 September 2012 12:30
HW writes a remark that OS doesn’t formally represent GSW legally.

10 September 2012 16:03
TA writes that GSW has been sent out of the country.

11 September 2012 05:42
AH writes a long defensive rant. She begins by saying that GSW’s friend Niklas is lying. She confirms what has previously been said: Niklas visited the embassy once and returned later with a lawyer after hearing that GSW had been held at the embassy. “I was always very friendly and correct towards them and we had a very civilized chat that they are now trying to turn into something else. Perhaps I should not have spoken to them alone but there was nobody updated present. And it is hard to reject him, then we would be criticized for that.” She later writes: “I suppose that the best now is to not answer to any questions at all. I have a feeling that anything we say will be distorted. Here in Cambodia people are used to human rights violations and always expect governmental abuse. Therefore nobody has been troubled to write anything about GSW and the crimes he has committed but the focus is on how he is being treated and people are always trying to find faults in the actions of the government. People in the embassy are worried that this will cause problems for us. Don’t know how much blogs like these can spread and if it can affect the Ministry for Foreign Affairs somehow.”

11 September 2012 08:46
Karl-Anders Larsson (KAL) writes saying: “Here is a link to a blog. If this spreads (which is highly likely) then we will have some problems. We partially already have it in today’s PPP. Would be good if we can talk about this on the broadcast meeting.” The link goes to http://qnrq.se/sweden-kidnapped-anakata/

Several governmental workers express their regards because of the “highly subjective” reports regarding GSW’s arrest.

September 13 2012 10:40
AH writes that the “attacks from PB followers” (sic) are very uncomfortable. AH continues that her e-mail has calmed down and that they have been given some food for thought in computer security. “These people are very hateful.”

Sweden kidnapped my friend

Monday, September 10th, 2012

Gottfrid Svartholm Warg, anakata, was arrested in his Riverside Phnom Penh apartment late August. I was personally at Cadillac bar located on the ground floor of the same building where Gottfrid lived. I have visited him on several occasions since after I moved to Phnom Penh in January. It was nothing unusual for Kenny, Gottfrid’s friend and landlord working at Cadillac bar, to ask me if I would be going up to see him. This time was the first time that I went to Cadillac bar being alone and not visiting Gottfrid. Perhaps I chose not to because what they call gut feel. I don’t remember feeling anything strange, but for the very first time I decided not to drop by.

The very next day I had caught a bad fever and called in sick to work. I didn’t hear about the news until Saturday when a friend of mine called asking what I knew. I was still laying sick in bed, but as soon as I heard what had happened I went down to Cadillac bar to try and figure out what was going on.

When I reached Cadillac I immediately understood that I had been told the truth. Kenny would usually greet me with an enthusiastic smile upon my arrival. This time he sat pale white at the bar and didn’t even turn around to look at me when saying hello. The bar was however more crowded than I expected and I figured that it was probably for the best to not bother asking any questions. I finished my pasta dish, paid the note and said good bye to Kenny’s back before heading back home.

A mutual friend of mine and Gottfrid, who was in contact with his mother, spoke to me a couple of days later and asked me to speak to Kenny so we could organize something and also stream information between here and there more efficiently to keep Gottfrid’s parents updated. We cleared the trust issues and started talking.

I learned that Kenny was actually the best friend of Gottfrid available at this time. From the moment that Gottfrid was detained Kenny would go to the Ministry of Interior’s Counter Terrorism department on a daily basis to ensure that Gottfrid would meet a friendly face. He would bring food, soda and books. Everyday Kenny came and asked Gottfrid if he had been told anything, been asked questions or been visited by someone. Gottfrid was only visited the first day of arrival by the Swedish embassy but they never asked anything or told him his rights or really what was going on.

At this point in time the news had already hit the global mainstream press. Gottfrid’s Swedish lawyer, Ola Salomonsson, had no idea what was going on. Initially the Cambodian authorities said that Gottfrid had been detained due to breaking local laws and that after he had been detained they realized that he was internationally wanted by Interpol. The underlaying tone was that he had been found merely by coincidence. Later it turned out that they had arrested him in connection to his visa expiring.

The day after Kenny received the verification that I was OK to speak with, 5th September, he brought me to visit him at the Ministry of Interior. I left my phone in the office due to paranoia and when we arrived and I saw the big sign on the building with a Khmer sentence translated to “Counter Terrorism Department” I immediately understood that this was something bigger than an expired visa. Even though his passport had been revoked when he became internationally wanted by Interpol, Gottfrid still had a valid visa until the day of his arrest.

We entered the building and were put in a room with three huge CRT monitors connected to one desktop PC each facing the wall on the opposite side of the room. We were ordered to place the meals that we brought with us on a table with the plastic bag containing canned Fanta. The officers took no interest in the books that we brought for him. We were then told that we may go into the hallway again and continue into the room where Gottfrid was held. The door was already open and there were approximately 8 officers present and additional ones lurking in the shadows around the hallway. Kenny went in first and I followed. When Gottfrid saw me he immediately looked from officer to officer in what seemed like an attempt to figure out if there was something special related to my presence. I came in muttering “so this is where the terrorists hold the antiterrorist”.

The room looked like a classical classroom with lined up benches. Gottfrid was sitting at the front, where a teacher would stand in a school environment, in a tree chair woven tilted allowing him to lay with his back in 45 degrees and his legs in 90. He was sitting upright with his legs crossed wearing the blanket. The officers weren’t freezing but Gottfrid was obviously not enjoying the forced air condition. The second we started to speak Swedish with each other all officers but one left the room. A few minutes later they rushed back in and told us that we only had five minutes more. We headed out and passed the guard at the gate a $1 bill.

The following day when Kenny returned with all the regularities he was denied entrance. The officers at the Ministry of Interior said to him that Gottfrid had been transported to the Swedish embassy. We called the Swedish embassy who did not pick up the phone. We called the Swedish Ministry of Foreign Affairs who hung up in our ears. Later the Swedish Ministry of Foreign Affairs told Gottfrid’s mother over the phone, when she specifically asked for it, that he was in the ministry.

At this point Gottfrid still hadn’t been reached by Ola Salomonsson and Gottfrid was never offered a lawyer by the Swedish embassy. Swedish authorities told Swedish press that Gottfrid was being extradited because he was wanted by Interpol to serve his one year sentence which he was convicted to in The Pirate Bay trial. The Swedish authorities lied through their teeth. Gottfrid wasn’t being extradited, he was being deported under the Cambodian immigration law. But people that are deported can choose where to be sent and also leave the country by their own free will. Deported people also have the right to fight the decision in Cambodian court. Of course Gottfrid was never informed about this by the Swedish embassy. They also forgot to inform Gottfrids Swedish lawyer.

Suddenly we became very stressed about the whole situation. Gottfrid needed to know that he had the right to a Cambodian attorney and to fight in court and he also had to be informed that it was up to him to demand to. The Swedish embassy never told him this, as later confirmed by Anne Höglund: the ambassador who signed the $60 USM aid deal.

I went to the Swedish embassy in Phnom Penh on the10th floor in the Phnom Penh Tower. I felt really helpless and didn’t know what to do. I felt desperate to have a face to direct my questions and frustration towards. Since the information that we had available indicated that he was captured in the same embassy that refused him his rights my initial idea was to go there and pass him my message as loudly as I possibly could through the walls.

I reached the reception who asked me why I was present. I told them I was there as a friend of Gottfrid’s uninformed parents and soon enough I met Anne Höglund. I found her quite rude for never inviting me to any form of office room or something,  instead she had me standing in the reception asking her questions. She told me the opposite of that we had heard from the Cambodian Ministry of Interior and the Swedish Ministry of Foreign Affairs: Gottfrid had never been there. I explained in a very serious tone that this was a matter of human rights, that he hasn’t been convicted for anything but The Pirate Bay and that it is their job to do what they had not done.

We were interrupted by around 6 people that came into the embassy to speak to Anne Höglund. I let her know that our discussion was not over even though she didn’t assign another agent to handle my complaint and Tom Abrahamsson had coincidentally went on vacation to Sihanoukville this particular day. Gottfrid’s mother was informed that Tom, the Head of Adm and Consular Matters, was the person that had visited Gottfrid. He didn’t leave the country or so, he just travelled four hours out of the city but was entirely impossible to contact.

I left the embassy and came back with Gottfrid’s mother’s Cambodian legal representative: Mr. Sok Sam Oeun. Sok Sam Oeun is currently the Executive Director at the Cambodian Defenders Project. In 1995 he won the Award of Defenders of the Year presented by California Defender Association and in 2002 he won the International Human Right Awards presented by the American Bar Association. He has over 20 years of experience in human rights and is also an expert on the international relationship between Sweden and Cambodia. He was early to be quoted in some articles regarding Gottfrid’s deportation. I brought him with me back to the Swedish embassy.

When we arrived they were obviously tired of me already. Unluckily for them I am a Swedish citizen and thus they can not deny speaking to me. And this time I also brought my backup: Mr. Sok Sam Oeun. I went through the process of informing the reception about what I wanted. At one point the Khmer receptionist picked up a phone and pointed at another one on my side of the protective glass. I picked it up and heard him say something, but figured it was a too long sentence to be for me. He shouted at me asking if it worked. I shook my head. He pointed at one on the opposite side of the desk. I picked it up and he asked me again if it worked. No luck. He pressed some extra buttons which I figured was actually required to connect to the proper phone on the line and I picked it up. The receptionist stared deeply into my eyes and said “you’re here regarding Gottfrid, right?”. I told him that was correct. Without blinking and still staring at me he then proceeded by asking “the fool that got arrested, right?”. I was in a bad position to throw a fight over his wording and simply confirmed once again. “I will ask for permission and then we will see.”

Before 10 minutes passed Anne Höglund came into the waiting room. “Oh, it’s you again”, she muttered in Swedish, clearly unhappy over me. “Yes”, I said, “but this time I brought backup”, and presented her Mr. Sok Sam Oeun. I said that since this was a very high profile case we must make sure that everything is legally correct, and of course that Gottfrid’s parents was very worried. When Sok Sam Oeun spoke to Anne Höglund and asked her questions she quickly fell into absolute defense mode. She crossed her arms and her every movement increased in speed. She was very stressed. She continued to say all sorts of truly absurd things such as “he does not need a lawyer” and that they had done everything they have to do. I deceptively nodded and it seemed like she considered Sok Sam Oeun to be the bad guy and me to be the good guy in the situation. She was subconsciously looking for me to agree with her and I met her with a confirming face conforming her to continue her lies.

Anne told us that in “every normal case” the Swedish embassy would provide the suspect a list of attorneys from where they could freely pick their defense. I told her that it was absolutely irrelevant how they handle normal cases because if it was a normal case then Gottfrid wouldn’t be held by counter terrorists over an expired visa. An expired visa in Cambodia usually doesn’t generate more problems than having to pay a fine when leaving the country.

She denied that Gottfrid had ever been in the embassy and said that this idea was absurd. She got stuck in a loop, I think she repeated her nervous “no” at least a dozen times before asking “who said that?”. Apparently we needed to speak to the Cambodian authorities because this was a police issue. Anne said it was an issue handled to a 100 % by the police and that the embassy had no interest in this. “Even if he has disappeared?”, Sok Sam Oeun asked her. I told her that right now we have a situation where the Ministry of Interior, Gottfrid’s last known location, said that Gottfrid was in the embassy and the embassy is saying that they don’t know where he is. I never told her that we had also heard the same information independently from the Swedish Ministry of Foreign Affairs and that the information that Anne was giving us was the exact opposite of that. Anne stood her ground: she didn’t know anything, didn’t understand why we were at the embassy and was not willing to cooperate with us in an attempt to figure out Gottfrid’s whereabouts. She made herself entirely unavailable to us so we parted.

According to Cambodian law Gottfrid’s parents’ attorney has the same right to speak to Gottfrid as Gottfrid’s own attorney, if he would’ve had one. Anne obviously either forgot or ignored this and she was never interested in respecting Sok Sam Oeun’s authority. The way the case unfolded it is very obvious that the Swedish embassy lied to us, tried to convince us that Gottfrid was not in need of a lawyer and denied his fundamental human rights both in Sweden and in Cambodia. Gottfrid’s mother got similar information from the authorities in Sweden. She was told that the process of deportation would not be a juridical process as such and thus no lawyer would be involved. Anne wanted to convince us into believing that Gottfrid was detained because of his invalid visa. Either Anne Höglund is entirely incompetent or she tried misleading us and denied us our rights because she knew that we had the legal possibility to take the matter to court and possibly have Gottfrid sent to another country other than Sweden, since he was after all being deported and not extradited. Perhaps Anne is an incompetent liar who fails to understand why someone that is locked up by counter terrorists needs access to a lawyer whether he’s charged for a crime or not.

After the coincidence with the $60 USM aid package granted by Sweden to Cambodia was settled Anders Jörle, spokesperson for the Swedish Ministry of Foreign Affairs, told media that the connection between Gottfrid and the money was “ridiculously farfetched” and that nobody sentenced to one year in prison is worth that amount of money. Of course he never told the press exactly where Gottfrid was locked up in Phnom Penh or that parts of the case for what he is being kidnapped for is classed secret by the Swedish Ministry of Justice. He also forgot that somebody that has been openly involved in both The Pirate Bay and WikiLeaks might be worth it. Everything around Gottfrid must truly just be a big coincidence. We’re just waiting for them to stop shaking and cross their arms and show us exactly how they’ve acted correct according to current national and international laws before we can truly believe it. Until these things are cleared out and proven to be correct I’m going to refer to this incident as the event where Sweden illegally kidnapped by far the most intelligent person I have ever learned to know.

Until this day neither Gottfrid’s Swedish attorney or his mother’s Cambodian attorney has been able to contact Gottfrid.

We miss you, Gottfrid

A glimpse into the third world

Sunday, January 15th, 2012

Going to Cambodia has been a dream that I’ve cherished for five years. I’ve been very fascinated by the country from western distance, and last week my dream finally came true. After signing the forms to quit my former job as a software developer for Flattr and breaking up with my girlfriend I booked my flight from Stockholm to Phnom Penh through Frankfurt and Seoul.

The first wave of my cultural chock hit very hard when I had to pass through approximately 200 begging locals populating the airport exit. After way too long traveling with very limited sleep my only intentions were to get in the cab which I had arranged with the hotel that I had booked and lay down in a bed and try to let everything just sink in. It turned out that the driver had let me down and I couldn’t get the phone number provided to work. After passing the local horde a third time I simply picked a random taxi and asked him to take me to the first cheap hotel that he knew of.

Cambodia is one of the poorest countries on this planet. WHO has reported that 81% of the around 13.4 million people in 2008 live in rural areas. A very large portion of the population survives on solely $1 USD a day. The traces of the Pol Pot regime killing about one third of the population in the 70s are very obvious around here. Everybody that I’ve met is somehow still suffering from the wounds from the Maoist Khmer rouge.

Judging by my own personal experience, the statistics of the extreme poverty is very hard to grasp. Seeing pictures and video footage from distance was completely different to physically arriving and witnessing the misery. UNICEF has estimated that Cambodia is the third most landmined country in the world. Even though the civil war has ended, you still have to worry about its traces. The jungle will literally eat you if you don’t watch your step.

One day I visited the Cheong Ek killing field in Phnom Penh. Seeing the genocide center itself was very heartbreaking, but the worst part of it all was realizing that the two children in the picture above live and grow up just a couple of meters outside of the killing field with their home separated by a fence. I won’t lie. Seeing the conditions that they are growing up in probably changed me more than I am currently conscious of.

The following day a moto driver that I had befriended did me the honor of driving me to a village called Phnom Sruoch. It was just about an hour drive from Phnom Penh, but it’s not a place where tourists normally go. Many villagers that I met had never seen a foreigner before.

On my way there I bought 30 writing books and 30 pencils for $12.5. As a comparison I’ve received around $30 from volunteer donations to this blog through Flattr. Thank you. This one is for all of you guys who think some of the stuff that I publish here is worth paying for.

But $12.50 is a lot less than the $30 that you’ve flattred me for. I wouldn’t want to let you down. Yesterday I bought a 50 kg sack rice for $45 and donated it to the Light House orphanage on lakeside Phnom Penh, which is currently the home of 108 children. Consider it a bonus.

Don’t rely on charity organizations to do the work for you. If you truly want to help the world and improve the living conditions of people suffering: then do. You don’t have to come and visit the third world and risk your life for direct action. Many orphanages have donations through systems like PayPal, you just have to find them. There are many good people in the world that may help you without taking a cut like big organizations do. Don’t expect the world to change because you’re funding an organization. If you want action to be taken then please, take action.