Feds Thwart Extortion Plot Against Best Buy 942
hiero writes "From an article
in the Star Tribune: 'Federal authorities said Tuesday they thwarted an extortion plot against Best Buy Co. Inc. by a man who sent the company an e-mail threatening to expose what he claimed were weaknesses in the retailer's computer system unless he was paid $2.5 million.' What's really interesting to me, though, is this paragraph further on in the article: 'The federal search warrant was obtained the morning of Oct. 24 and allowed the FBI, with Best Buy's cooperation, to use an Internet device known as an Internet Protocol Address Verifier. It contained a program that automatically sent back a response to Best Buy after the company sent a message to the e-mail address. The response allowed investigators to identify Ray as the sender of the e-mail threats, according to the government.' Internet Protocol Address Verifier? Is this Carnivore in action?"
I think... (Score:5, Funny)
Blogzine [blogzine.net]
Re:I think... (Score:5, Funny)
Re:I think... (Score:4, Funny)
Sivaram Velauthapillai
Re:I think... (Score:5, Insightful)
But if you reeive an HTML message that includes an IMG link to the senders' site, when Outlook displays the image (even if it's an invisble 1 pixel one) they have your IP. There are ways to block this, but it's on by default. Spammers use this to verify your address.
Re:I think... (Score:4, Interesting)
Re:I think... (Score:5, Informative)
If you want to see the images you have to request them to be downloaded, or add the sender to your list of trusted sites.
Re:I think... (Score:5, Informative)
Tm
Re:I think... (Score:5, Funny)
Re:I think... (Score:4, Insightful)
Why not?
They'd get just as much information from the IP address of his ISP's web server as they would from his actual IP address. (Hint: Your IP address does _not_ typically broadcast who you you are, it announces who your ISP is.)
Even with the IP address of the user, they'd still have to subpoena the ISP to get the user account information - which the ISP would have to look up in their logs. If they got the IP address of the ISP's proxy, the ISP would simply look in the proxy logs first.
Now, if the user was uing an off-shore open proxy (say in Asia somewhere) then they might have a problem.
all new versions of outlook (including XP SP2d versions) will not serve up remote assets in HTML emails unless specifically instructed to do so.
Well I guess that he wasn't using a new version of Outlook then.
Re:I think... (Score:3, Insightful)
Re:I think... (Score:5, Funny)
By the time it starts loading, the damage is already done.
Re:I think... (Score:5, Funny)
Ye... oooh, nice try feds! Almost got me on that one!
No Wonder (Score:5, Funny)
As opposed to... (Score:5, Funny)
As opposed to a big company who tries to extort us to use Outlook?
IP Address Verifier == web bug (Score:5, Interesting)
Re:IP Address Verifier == web bug (Score:5, Interesting)
That's my guess too. If so, had the extortionist had his mail client set up like mine, he wouldn't have had his IP "verified".
My client, actually, is the (rightfully) much maligned Microsoft Outlook, but I don't have a problem with web bugs, because my firewall only allows Outlook to connect to one address -- my domain's mail server -- and only to two ports at that address, ports 110 and 25.
This means no web bugs or any referenced (as opposed to inlined) images are ever displayed. In the few cases where I actually want to see referenced images, this is a minor inconvenience, but it's more than offset by knowing that no spammer -- or corporation -- ever gets verification of my email address.
For most mail, of course, it's not an issue. Important email rarely if ever contains referenced images; indeed I discourage anyone from sending me HTML-encoded email at all.
And if I want to view a url included in an email, I just click on it, and Firebird (which is allowed to connect to any address, so long as it's to port 80) displays the url. If I really want to see an email in its full glory (and I never do), I can always save it and then open it in Firebird.
Re:IP Address Verifier == web bug (Score:3, Informative)
that reminds me, when was the last time outlook actually allowed you to click an executable attachment and have it run? it had to be 2000, pre sp1, no?
Re:IP Address Verifier == web bug (Score:5, Informative)
Re:IP Address Verifier == web bug (Score:4, Informative)
per-process firewall (Score:4, Interesting)
Re:per-process firewall (Score:4, Informative)
Have a look at the 'owner' match extension to iptables:
Re:IP Address Verifier == web bug (Score:4, Funny)
Methinks that would be marketing speak for an HTML mail with a web bug (1x1 transparent pixel image loaded from remote server). If the 'villain' is using a mail program that displays HTML, his IP address is logged.
The villain didn't of course use any mail program but some generic webmail address (most likely outside the US). The lesson? Use Lynx to read your webmail when extorting Best Buy.
Re:IP Address Verifier == web bug (Score:5, Insightful)
clever criminals don't get caught so you don't hear about them
FBI Files and COPS tend not to show you cases where the perpetrator outwitted the victims *and* the police *and* the FBI.
Re:IP Address Verifier == web bug (Score:5, Interesting)
Indeed. A few years ago, I was talking to a friend of mine who was a county prosecutor about a case which had happened in my end of town.
A woman had her daughter's boyfriend murder her husband for the insurance money. I was amazed that she thought the authorities wouldn't figure it out. My friend said(paraphrasing): "They're mean and they're stupid. You have no idea how mean and how stupid... The smart ones don't get caught."
Of course, most of criminals *think* they're smart enough to get away with their crimes. But as researchers [nytimes.com] have found, they probably don't know they're not smart enough to avoid being caught.
Milalwi
Hmmmm... (Score:4, Insightful)
Re: Hmmmm... (Score:5, Insightful)
I presume that your friend is referring to the typical criminal who is regularly apprehended? Unless he's actively involved with successful criminals, how would he know how stupid or otherwise they actually are?
This is one of the things that makes me laugh about law enforcement. When you hear them being interviewed on Cops or some such rubbish, they're always going on about how dumb these losers are -- not realizing that it's only that group who are dumber than they are able to catch. Epidemiologists refer to it as the clinician's bias. Because doctors only see sick people, they assume everyone is sick.
When they want more resources or additional powers though, they go on at great length about how cunning and sophisticated modern criminal organizations are, and how these new measures are essential to capture them and make the world safe for mom and apple pie.
The truth is that criminals are just like the regular population. Some are smart, some are dumb and some are just average.
Re:Me Too. (Score:4, Interesting)
Internet Protocol Address Verifier ... (Score:4, Funny)
Well, ironic isn't it? (Score:5, Interesting)
And on the other hand, what this guy tried to do was establish a "business relationship" -- notice that he did try to contact them first with the offer to help them:
The e-mail also offered to establish an unspecified business relationship between the sender and Best Buy, adding: "Without your response, we are obligated to share the security hole with the public for their protection. As a result, Best Buy may experience a loss in business, thefts and lawsuits."
Ofcourse, once he noticed he wasn't getting anywhere, he decided to resort to good ole' blackmail.
Honestly, this was bound to happen some day or the other. When legitimate security people point out bugs and holes, they get treated like scum and are threatened with law suits. So whats the best thing to to? Threaten the companies with money. Even if 0.1% of the companies gave in, it still is a way of making money.
Good, atleast this way companies will be more careful about protecting data.
Re:Well, ironic isn't it? (Score:5, Interesting)
I think it's happening more often than what we read about in the mainstream press. Most businesses want to keep things hush-hush as to not generate bad publicity.
Good, atleast this way companies will be more careful about protecting data.
I doubt it, although I tend to be a pessimist when it comes to these matters. As long as they can hide behind lawsuits, it will be business as usual.
My final note of pessimism: things are going to get much worse before they get better. Brace yourselves!
Re:Well, ironic isn't it? (Score:5, Insightful)
Although the article is not very detailed in this aspect, his actions do not speak of someone trying to help BestBuy. Some of the info is not released due to security concerns and pending litigation but this seems more like a black mail scheme more than anything else. If he was serious about helping BestBuy, asking for money ($2.5 million) sent the wrong message because the mafia also used terms like "business relationship" and "offer they can't refuse" when shaking down people as well. Until we know more, all we know is that he said enough in his emails that BestBuy and government thought he was threatening.
Re:Well, ironic isn't it? (Score:5, Insightful)
Do nothing and MYOB. If companies lose substantial amounts of money because of lax security, then they will do one of two things:
- improve their security / invest more in security
- go out of business and/or be less competitive.
in either case, the consumer wins (as in case 2, more competitive companies will spring up to take their place).If, as it turns out, that external security consultants are the way to go, then such companies will engage in a business relationship with one of dozens if not hundreds of world class security firms.
What we don't need is whiny "independent security researchers" doing what amounts to unprofessonal blackmail attempts ("let's establish a 'business relationship' or I spill the beans.) Computer tresspass is computer tresspass. We don't need to revise trespass laws to improve security - we need companies to go to legitimate security firms and use their tiger team services and so on.
Re:Well, ironic isn't it? (Score:5, Insightful)
Computer trespass is computer trespass.
I'm so sick of this crap, I don't even know where to begin.
Best Buy is NOT the entire Internet. Best Buy's security problems could potentially be used to inconvenience or incapacitate innocent sites nearby or, even, innocent sites with no connection to Best Buy whatsoever. Best Buy has a responsibility to fix their security problems when they're made known. If Best Buy's lumbering managerial morons see fit to ignore contacts and help offers, there is nothing wrong with exposing Best Buy's problems to force their hand (blackmailing them is a totally different story).
This ridiculous attitude with these clueless businesses is tantamount to politely telling someone their fly is unzipped and getting your nose punched in gratitude (as the person continues to wander around with the fly unzipped, punching people who are trying to help them). If you find a security problem, you let them know about it. If they ignore you, you let everyone else know about it to force their hand. It's not like if someone who's looking to cause trouble right off the bat is going to give a warning shot over the bough and let them prepare. Hmmm... say I'm poking around a form on a popular retailer's website and accidentally type in a "funny character" and submit it. What's this? SQL error? Oh? I guess I should just keep my mouth shut, right? I shouldn't bother to try and report this glaring vulnerability? After all, I have no obligation to their customers, and, since I have no moral compass at all, I shouldn't even think of those poor, trusting fools, right? Give me a break...
You're a real riot. Are you on one of these "tiger teams", perchance? Mad because all your training doesn't amount to a hill of beans more than someone with a lot of book reading and practice and they're stealing your business by giving out free advice? Or do you just not know what you're talking about? I assume that you believe these "tiger teams" are infallible and could never make a mistake? I guess that once someone goes to a security firm, there's no possible way someone could miss something or something could change after the audit and review? I guess the "tiger team" couldn't possibly have someone on it that has, for some reason, not been acutely focused on the task at hand due to illness, fatigue, personal issues, etc.? I guess this "tiger team" has experienced every possible security problem there will ever be and has taken steps to eliminate all of them forever and there's no possible way a hole will ever be found that they didn't already psychically perceive and patch?
in either case, the consumer wins
I guess the consumer wins when their credit card number, name, and address get stolen too, right? I know that last time MY credit card number got stolen thanks to an utterly stupid retailer, I was REAL pleased about it. In fact, give me your address, I'll mail you all my credit cards and photo id because it's so great when people get them that shouldn't have them.
Here's your passport, sir. Welcome to the real world. Please do try to fit in in some capacity. A good step would be to stop suggesting that knocking the lock off someone's door and walking into an unprotected computer system are the same thing. People who actively break secured systems without invitation are one thing, people reporting obvious flaws or a total lack of security in general are another. Stop lumping them altogther as "computer trespass".
Re:Well, ironic isn't it? (Score:3, Interesting)
As long as I can find ways of fishing that out, you're at fault.
If you have a security flaw that helps 13 year old kids break in and take the credit card information of a few thousand people out there, I think I can say with reasonable assurance that YOU are at fault.
If someone leverages that to their advantage, don't blame them - fix your holes first. Thats the way security works.
Like t
Internet Protocol Address Verifier? Pfft... (Score:4, Interesting)
If the sender is spoofing headers, however, this becomes more difficult. Why not just subpoena the ISP for their email data? Doesn't the server keep a log of what IP addresses sent which pieces of email?
For example:
Received: from [65.119.30.157] (helo=SMTP.magnellmail.net)
by snoopy-bak.runbox.com with smtp (Exim 4.24)
id 1Ae9TJ-0006F6-B0
for xxxxxxxx@runbox.com; Wed, 07 Jan 2004 09:55:25 +0100
Received: from mail pickup service by E1SSL2 with Microsoft SMTPSVC;
Wed, 7 Jan 2004 00:56:48 -0800
The above shows that someone at 65.119.30.157 sent this email. It went through their mail server (magnellmail.net) to runbox, my provider. From there, Runbox directed it to my Inbox when I opened Outlook.
There is also a very unique message ID at the end of the headers section:
Message-ID: [E1SSL23ZpEVmkWFBXZG000011b9@E1SSL2]
Could this be used by the Email provider to find out who sent emails, if the IP address is missing or spoofed?
Re:Internet Protocol Address Verifier? Pfft... (Score:5, Insightful)
Re:Internet Protocol Address Verifier? Pfft... (Score:5, Informative)
I can send you an email right now that will only get you to that mail server's address. there is no way in hell you can get my IP addrees out of it. and then if you try and suponea that company there is no real information in there about me except one IP address that lead's to a http anynomizer... so now you have to suponea that and hope I didnt do a second hop and was stupid enough to use the first two inside a country that will gladly bend over for your government.
your tactic was useful 10 years ago... today it's mostly useless.
Re:Internet Protocol Address Verifier? Pfft... (Score:5, Insightful)
Verifier (Score:3, Informative)
wont last long (Score:4, Insightful)
"Where the heck are my images? Please make it act like the old Outlook."
Its good MS is doing this by default, but most users couldn't care less about security/privacy especially when it inteferes with "purty pictures."
Where is the line to be drawn? (Score:5, Insightful)
Had he just disclosed the flaw, would he more or less a criminal, ethically and legally speaking? It seems that worse would have come if he had simply published the flaw right away.
Was he justified in asking for compensation for his findings? If not, this seems to obligate us to "work for free" when discovering such a security problem.
What do others here think?
If you break in to someone's system (Score:5, Insightful)
This seems perfectly reasonable and there is plenty of precident in the physical world:
My house has many known security flaws. The largest would be the windows. They are easily broken with just a rock, allowing access. My door would also be a flaw, it's solid, but nothing a battering ram in experienced hands couldn't break down in a few minutes. My lock is aslo a flaw. IT's better than most, a high security lock that is much harder to pick than normal, but it still is pickable.
So, if someone breaks into my house and demands money to fix it, should I honour that? No, I'd by perfectly jsutified in holding them at gun point and calling the police to have them punished. Regardless of thier intent, it's MY house and you'd better not enter it without my permission.
It is similar for computer systems. If I pay you to hack my stuff and report on it, great. YOu are providing a valuable service and I thank you. IF you break into my stuff without my permission, you are a criminal pure and simple.
Also, demanding money ex post facto is something else we have a law against, it's called balckmail and is illegal.
Look, if you want to find flaws in stuff, do it legally. Contact the owner and ask if you may hack them. If they say no, move on. IT is not your duty or right ot mess with their stuff without permission.
Re:If you break in to someone's system (Score:5, Funny)
hey! just like my computer!
</obligatory karma whoring>
suit talk (Score:5, Insightful)
"Internet Protocol Address Verifyer" sounds like something you'd find in a Movie OS. Of course, like all other buzz words, the name is not related to the alledged function.
They either used a webbug, og checked the IP in the header of the mail he sent with his claim.
Anti-Spam tool? (Score:3, Interesting)
Carnivore? More like overreaction (Score:5, Insightful)
Re:Carnivore? More like overreaction (Score:4, Insightful)
I doubt they have anything as fancy as a IPAV (Score:4, Insightful)
If he wasnt clueless he would have used a dummy email account and checked it via rental computer or at the very least a dial up account using *69 ( which can still leave your number ) and a prepaid credit card / gift card.
This guy reminds me of the old irc script kiddies who would do things from their house and wonder how they were tracked down. While anonomyzers are available it makes me wonder if he,
a. used one
b. had used a computer before
As to the FBI ip verifier i find it hard to believe they have anything more advanced then the current jscript / asp / log parsers to pull ip information.
AFIK the absolute most a email address can yeild is the ip of the server. However with the email headers im sure you can get a ip without too much trouble with a warrant.
Note to extortionists... (Score:4, Funny)
Make sure you turn off Message Disposition Notification in your e-mail client.
Web bug (Handy for job application e-mails) (Score:5, Insightful)
Internet Protocol Address Verifier? Is this Carnivore in action?"
That'll be a tiny 1x1 pixel gif embeded in a HTML e-mail called from the feds server.(AKA web bug... You cant turn off HTML in M$ LookOut and this dude dosent sound very clued up)
Presto, the feds know who opend the mail how long they looked at it etc etc etc.
A top tip (tm) is to embed a web bug in a job aplication e-mail. Its interseting to watch your aplication being pushed around various departments and see who actually reads it.
Re:Web bug (Handy for job application e-mails) (Score:5, Informative)
Oh yes you can [sniptools.com] - something I rely on to avoid spammers using the same trick!
this dude dosent sound very clued up
My thought exactly
Re:Web bug (Handy for job application e-mails) (Score:5, Funny)
Yes, it's very interesting. For example, here's the log of all the machines who accessed my web bug when applied for a job at the DHS:
frontdesk.dhs.gov
hr.dhs.gov
check.dhs.gov
c
check.irs.org
it.dhs.org
counterte
legal.dhs.org
submitsubpoena.aol
bust.usmarshals.gov
brb 2 secs, someone's at the door...
Just do not let (Score:3, Funny)
What carnivore does. (Score:5, Informative)
Over here [fbi.gov] there is a Congressional Statement of what Carnivor "officialy" does, or is "allowed" to do. One paragraph of this statement:
Carnivore is a very effective and discriminating special purpose electronic surveillance system. Carnivore is a filtering tool which the FBI has developed to carefully, precisely, and lawfully conduct electronic surveillance of electronic communications occurring over computer networks. In particular, it enables the FBI, in compliance with the Constitution and the Federal electronic surveillance laws, to properly conduct both full communications' content interceptions and pen register and trap and trace investigations to acquire addressing information.
gives us the gist of it. So yes this very well be Carnivore in action.
Google appears to be stumped too (Score:5, Interesting)
Concerns about Best Buy (Score:5, Interesting)
Uhh... (Score:3, Informative)
So now what the white caps do is...publish! (Score:3, Informative)
So, since you don't want to treat me with respect like I treat you with respect, from now on I won't be nice or treat you with respect. I'll publish your flaws for all to see. It can be as big a publication as slashdot or bugtraq, or as small a publication as telling my friends and throwing it up on p2p.
I guess we'll have to teach them what happens when they treat us with no respect. This is a decision every white cap has to make for themselves.
I for one, am done playing the part of the nice martyr. The day I get arrested and incarcerated for releasing information I or someone I know researched because someone doesn't like loosing money is the day we no longer live in a free country, and the day I go black cap. Believe me, I don't want it to come to that, I like my steak and potatoes and living in a nice house, but if that's where it's going I am going to defend my hobby.
What he did is still illegal (Score:5, Insightful)
People who illegally break into systems deserve no more respect or consideration than people who illegally break into houses. You have no right at all to enter or use other people's property without their permission. Don't pretend like because it is a computer system that makes it any better.
IT's like lock picking. IF you want to learn to pick a lock and find out its venurabilities, go right ahead. But do it on a lock you own. But the lock in question and play with it. To go to someone else's house and try on their lock without permission is illegal and immoral. You've no right to mess with their property.
So if you get asked/hired to test someone's security (physical or virtual), great. Do what you can and give them a report. If you have something you own (physical or virtual) and you discover a security flaw, great, make it known so a fix can be developed. But do NOT presume you have the right to invade the property of others. It doesn't matter if it is venurable or not, it's not yours so you keep out.
Re:What he did is still illegal (Score:4, Insightful)
-- You need to think about what "property" is --
*You* put resources on the Internet. Obviously, for *some* reason.
Normally, the reason you would do that is to provide some service to users. Usually anonymous, given that this is the Internet, and not your private Intranet. If you want it private, don't put it on the Internet.
And, in putting in on the Internet, the resource is available for use.
What you *haven't* done is contracted with *me* as to how to use the service or resource.
Let's put this in simpler terms -- if you have a 20 dollar bill in your pocket, it's yours. If someone takes it that's probably theft.
If you put the same bill out in a public place (say, on a public sidewalk) and then go away, and someone takes, it's probably NOT theft.
When does a resource stop being the "property" of someone? The simplest answer is when they have no control on that resource. Another
Currently, legislation is trying to make a distrinction between "authorized" and "unauthorized" use of such a service or resource. "unathorized" if the provider of the resource doesn't like the way its used. [Of course, that's very slippery slope.]
Ratboy.
And they proved what ... ? (Score:3, Interesting)
What if the email was send (the smtp server was invoked) from a compromised computer. There are lots of win98 online with hundreds exploits ready waiting for somebody who needs an IP to do something from. What if the person uses a cascade of proxyes and shells.
I will just mention all the possibilites the iproute2 package gives to move network segments and obscure what is going on.
We should do everything possible to prevent the court system to take computer generated information (logs) as a reliable evidence, because it may be just the start of the witch hunt...
Thier flaws have been published before (Score:4, Informative)
It even goes in depth on how to get into thier private network from a display PC.
How to find info on hiring and firing people etc.
How to order stuff and have it sent.
666? I thought it was 2600! (Score:4, Informative)
Ok , thats a bit obscure but a real hacker will know what I mean.
If he had used spammer techniques.. (Score:5, Informative)
and few other ways of hiding yourself, as below
1. Dedicated firewalled Linux Laptop with WLAN, and changing MAC
2. WarDrive around for a unsecure internet connection.
3. Use proxies from unsecured PC's, lists available from DBL providers, or you Email server logs.
4. Setup up a web mail account, and send business proposal.
5. WarDrive to other access poiunt for continuing dialog
6. Travel around a bit to avoid setting a Wardrive pattern
I would think this would be very difficult to trace without social engineering
Re:If he had used spammer techniques.. (Score:3, Informative)
1. Dedicated firewalled Linux Laptop with WLAN, and changing MAC
2. WarDrive around for a unsecure internet connection.
3. Use proxies from unsecured PC's, lists available from DBL providers, or you Email server logs.
4. Setup up a web mail account, and send business proposal.
5. WarDrive to other access poiunt for continuing dialog
6. Travel around a bit to avoid setting a Wardrive pattern
That's a good start but if they really wanted they'd still have something to track him down by. First you'd have to
This doesn't make sense (Score:5, Insightful)
You have to realize that we are getting our information about this incident from a NEWSPAPER, which the very least reliable source for technical topics. Remember this [slashdot.org] clueless newspaper article?
I'd say we know little about what actually happened here.
What are you supposed to do? (Score:5, Interesting)
About a month ago I discovered what could be deemed a weakness in a relatively popular online merchant's order status system, allowing anyone to view the order status for any order in the system just by changing an ID field in the URL. I often try changing such values in URLs like this for no real reason (a habit from designing my own web-based scripts), and I've never found an exploit until now.
So with a simple perl script, it would be possible to download and parse the mailing address, shipping address, items ordered, amount paid, credit type (NOT credit card type or credit card number, thankfully) and other assorted information for any given order. After some brief checking, I determined there were over five million orders viewable in this manner, going back a few years.
So what am I supposed to do? I have no interest in establishing a 'business relationship' with this online merchant, telling everyone how to do it seems like it would cause more harm than good, and I fear being ostracized or even litigated for 'hacking' if I tell the company, even if all I did was change a sequential, non-encrypted number in an URL.
Or is the information accessible not a big deal to worry about?
Re:What are you supposed to do? - options (Score:5, Insightful)
My rule of thumb is that if a piece of information can be obtained and tracked to a specific individual, it's dangerous. That's the rule I use in my work as well.
When I decide the situation warrants it, I send a professional, formal email to the company ( also the web admin if there is one ), stating what I found, screenshots and leave it at that. Sometimes I will point out that I intended to place an order, but halted when I saw the issue. I also let the company know they may contact me if more information is needed.
This is what has happened in the past following these emails:
1. Almost all companies send me an email thanking me and letting me know the problem has been corrected, and it has been. Case closed.
2. I get a nasty email from the company ( usually this is with SMALL operations) telling me to take my business elsewhere. At first I would attempt to politely explain the risk, but soon realized that some sites have no intention of listening to me, and gave up. In that case, I may notify the BBB or other organization just to get someone else on their tail. I don't have time to chase down other people's security holes, so the best I can hope for is to let others know.
In any case, I always use the Enron rule: What if I later had to explain my actions to a grand jury?
Re:What are you supposed to do? - options (Score:4, Interesting)
These people market and sell a product they probably know is shoddy. What makes you think they'd have the moral fibre or restraint to refrain from shooting the messenger? You can't trust their software, what makes you think you can trust them?
Wait until he actually received the payment ... (Score:5, Funny)
HTML bug (Score:5, Interesting)
I've had one case where a friend and I were writing a boobytrapped shell on a Linux box, to use as the login shell for a suspected system cracker, and he logged in, saw the new shell (which we hadn't quite installed yet) and RAN THE BLOODY THING FOR US! We got all the data we needed to track him down right there and then, phoned his ISP and got him shut off on the spot.
So - yes, even the more savvy often do really really stupid things...
Belongs on America's Dumbest (Score:5, Funny)
1. Rob Taco Bell right after filling out job appication and interview. Be arrested when cops show up at your address on the application.
2. Send extortion/blackmail emails using MS-Outlook from your normal ISP account. Be busted when FBI sends email using marketing tool like Neighborhood Email or eZine Manager. FBI is too embarassed to admit they used an e-newsletter tool and come up with the "ip address verifier" device.
3. Shoplift naked. Be arrested when cop identifies the incredibly stupid butcher's meat chart tatoo when streaking through campus on a dare.
4. Keep crack pipe, crack and lighter in glove box. Be arrested when you see a billboard advising "Drug checkpoint next exit" and begin throwing crack, lighter and pipe out the window while police are video taping looking for people throwing drugs and paraphanellia out the window.
Ask the reporter? (Score:5, Informative)
<sarcasm> oh wait - this is slashdot right - only two people actually read the article. </sarcasm>
I emailed Mr. David Phelps asking what an "Internet Protocol Address Verifier" was and his brief reply was the following.
"it's commonly referred to as a web bug. i used the term as contained in the government's search warrant."
So while the theorizing here did come up with that as a possibility - it also came up with lots of other BS.
Now the bizarre thing is that the feds used such a wierd term. Then again to a judge or lawyer the term "web bug" probably seems pretty bizarre.
I know what he was doing (Score:4, Funny)
Just a little "bug" in the mail, silly wabbit (Score:5, Informative)
Easy does it, apply the KISS principle to life.
However, a bug says: "you're being bugged" (Score:5, Interesting)
The problem with an embedded image bug is that if the recipient views the source of the email -- and presumably this alleged extorter is a techie -- it's easy to spot such a bug, and so there's a real risk that including a bug would tip him off to the investigation.
So, it may be an HTML bug, but perhaps not...
Re:However, a bug says: "you're being bugged" (Score:5, Insightful)
Only when you're doing mass mailings. If it's targeted, it is indistinguishable from a standard image... e.g.
http://corporate.bestbuy.com/images/corporatelo
could be a web bug if you only send that URL to one person. The reason it's more obvious in mass mailings is because they require a unique identifier to have something to map back to the email address such that they can verify the address as live.
Re:Just a little "bug" in the mail, silly wabbit (Score:5, Informative)
Learn somethin' new each day... (Score:4, Insightful)
I read this and was foolishly thinking (probably like many do) that "oh, if I don't download an attachment and execute it there really is no danger. I mean really, if I don't "run" anything, how would anyone know?"
Silly wabbit is right. It's another case myself of not being able to see the forest for the trees.
I guess ANY HTML email can be malicious in a sense that it can snarf info if it actually interprets and points you to ANY website when you read it in its rendered state.
Talk about eye opening. I'll bet 90% of the general public don't actually realize this can easily be done for targeting purposes. With this in mind it's probably not hard (and don't flame me for not knowing this guys) but targeted spam in order to verify addresses could point to "specially coded"
"The aspects of things that are most important to us are hidden because of their simplicity and familiarity" - Ludwig Wittgenstein
Re:Just a little "bug" in the mail, silly wabbit (Score:5, Insightful)
The guy was smart enough to try to break the site, and he couldn't figure how to get/send email without being traced??? And why would he use anything but plain text email either? And probably using Outlook? He was asking for it...
Re:Just a little "bug" in the mail, silly wabbit (Score:4, Insightful)
Uh, yeah... The ones who do pay off blackmailers (and it does happen) don't generally advertise it. When a corporation is successfully extorted, it tends to stop there, unless the bastards ask for a second ransom.
Re:U.S. government surveillance (Score:5, Insightful)
Huh. It reminded me of Stalin and Beria and the NKVD, but you're right, better we should take our lessons from space opera than from history.
George Lucas's fertile imagination is so much more convincing than those ponderous, dusty history books. And you can't eat popcorn and jujubes while reading books, it gets the pages too sticky.
Please Think Before Exposing Paranoia (Score:5, Insightful)
It's also rather similar to your local mail carrier knowing where you live. Is that surveillance, too, or are you simply paranoid?
If Best Buy had received the same threat via snail mail, and the FBI looked at the return address on the envelope, would you be screaming about surveillance?
The Internet is not some mystical land that exists apart from reality and the law, contrary to the constant stream of silly
Next time, please think bekore exposing yourself as a paranoid llon, OK?
Double Standard (Score:5, Insightful)
Here is a nice hack done for a good reason by the same law enforcement that is supposed to investigate and stop such crimes as extortion. And how do we react? Government spying! Conspiracy!
Really. That's just not very reasonable on our part.
Re:Please Think Before Exposing Paranoia (Score:5, Informative)
Re:Please Think Before Exposing Paranoia (Score:5, Informative)
Re:Please Think Before Exposing Paranoia (Score:3, Insightful)
Re:Please Think Before Exposing Paranoia (Score:4, Insightful)
Re:Please Think Before Exposing Paranoia (Score:5, Funny)
This example of the counter-"point" is brought to you by the citizens for people thinking first before typing. Thank you.
Re:U.S. government surveillance (Score:5, Funny)
Huh. It reminded me of Stalin and Beria and the NKVD, but you're right, better we should take our lessons from space opera than from history.
In Imperial Coruscant, history takes lessons from YOU!
Re:U.S. government surveillance (Score:3, Interesting)
(not that Stalin and Beria were nice guys, mind you -- it's just that there aren't mass executions in the U.S. yet)
Re:is carnivore bad? (Score:3, Insightful)
Re:is carnivore bad? (Score:5, Informative)
No, it isn't. Like another poster said, this is really just a web bug. Carnivore is a sophisticated system for parsing billions of e-mails and flagging interesting things like threats against the President for analysts to examine, but has nothing to do with validating return addresses or anything like that.
The only way to actually know that someone is actually receiving your e-mail at a particular location is to include a web bug that reports their IP address back to you, by opening a socket connection directly to something on a server you own (e.g. an image). So either include an image in the e-mail which is requested from your server, or include a trojan that "phones home" when they run it.
It works. Try it the next time you want to see who's really spamming you. Just send a web bug to whatever the response address is they want you to contact, (you know, for your Nigerian money-laundering instructions), and then examine your server logs carefully to find out where they really are in the world. Of course, you could also send them a backdoor if you wanted, instead of just a beacon, but I would never countenance such uncivilized behavior
Re:is carnivore bad? (Score:3, Insightful)
Re:is carnivore bad? (Score:5, Insightful)
So to answer your question, I would rather have some guy off the street spying on me than the goverment ANY DAY OF THE WEEK! There is something that you don't understand about the government--any government. Governments are far more powerful than 1000 people put together! They have immense power. The illusion of a legal system--which IS an illusion--does not change any of this. One just needs to look through the history of the government that you live under to see what I mean (I picked USA but you can pick any govt).
Sivaram Velauthapillai
Re:is carnivore bad? (Score:5, Informative)
Re:is carnivore bad? (Score:5, Informative)
Maybe you'll learn something... just maybe.
Sivaram Velauthapillai
Re:is carnivore bad? (Score:4, Informative)
Obviously you haven't heard of the Patriot Act, or the Domestic Security Enhancement Act.
http://www.aclu.org/SafeandFree/SafeandFree.cfm
* The government no longer has to show evidence that the subjects of search orders are an "agent of a foreign power," a requirement that previously protected Americans against abuse of this authority.
* The FBI does not even have to show a reasonable suspicion that the records are related to criminal activity, much less the requirement for "probable cause" that is listed in the Fourth Amendment to the Constitution. All the government needs to do is make the broad assertion that the request is related to an ongoing terrorism or foreign intelligence investigation.
* Judicial oversight of these new powers is essentially non-existent. The government must only certify to a judge - with no need for evidence or proof - that such a search meets the statute's broad criteria, and the judge does not even have the authority to reject the application.
* Surveillance orders can be based in part on a person's First Amendment activities, such as the books they read, the Web sites they visit, or a letter to the editor they have written.
* A person or organization forced to turn over records is prohibited from disclosing the search to anyone. As a result of this gag order, the subjects of surveillance never even find out that their personal records have been examined by the government. That undercuts an important check and balance on this power: the ability of individuals to challenge illegitimate searches.
It goes on and on. Where there once was vast amounts of paperwork, now a simple "it's a terrorist judge, sign this" and it's done.
Now, as long as that is used only against what most of us consider a "terrorist" (ie, a person who wishes to physcially and violently attack non-military targets for the sake of influencing political opinion), I don't personally mind too much. In Tulsa, we have a building that is a 1/3 (or somewhere around ther) replica of the World Trade Center (or what used to be the WTC). We also had a terrorist act in OKC. But I have a strong suspicion (backed up by numerous historical incidents) that these powers WILL be abused against our citizens that are not really "terrorists". The problem is that the bill(s) have past, and are now in enforcement.
Not that this really has anything to do with what the FBI did. I applaud them in apprehending this individual, and find is somewhat funny that is was done with such a simple method.
Re:Webmail (Score:5, Insightful)
Re:Not Carnivore.. (Score:3, Redundant)
This is not freaking high tech.