Slashdot Mirror
Feds Thwart Extortion Plot Against Best Buy
hiero writes "From an article
in the Star Tribune: 'Federal authorities said Tuesday they thwarted an extortion plot against Best Buy Co. Inc. by a man who sent the company an e-mail threatening to expose what he claimed were weaknesses in the retailer's computer system unless he was paid $2.5 million.' What's really interesting to me, though, is this paragraph further on in the article: 'The federal search warrant was obtained the morning of Oct. 24 and allowed the FBI, with Best Buy's cooperation, to use an Internet device known as an Internet Protocol Address Verifier. It contained a program that automatically sent back a response to Best Buy after the company sent a message to the e-mail address. The response allowed investigators to identify Ray as the sender of the e-mail threats, according to the government.' Internet Protocol Address Verifier? Is this Carnivore in action?"
The U.S. government does more world-wide surveillance than any government ever has.
Internet Protocol Address Verifier? Is this Carnivore in action?
This could effectively stop spam, at least in conjunction with additional laws. Would it be worth it?
----
Squirrel
I think it's called a return receipt :-D Probably was using Outlook which automagicly sends one when requested.
Blogzine
That's what happens when you try to extort a big company using Outlook.
"0101100101? It's just jibberish. *looks in mirror, gasps* 1010011010@!? AHHHHHH!!"
Okay... I'll do the stupid things first, then you shy people follow.
[Zappa]
and this is where he's going to say his computer was hi-jacked, right? Even Carnibore has its limitations.
I hope the guy will still send the info to 2600.
And "Internet Protocol Address Verifier"? Woah! Sounds like a tool in the Uplink game. Never heard of it though. A quick search on Google didn't return anything relevant.
All Hail Discordia. Hail Eris. Fnord.
Easy does it. You don't need a big surveillance program, just add a bug to your email that "grabs" the reader's IP addy and voila!
Easy does it, apply the KISS principle to life.
~~~Please pass the salt, I hate unsalted MD5s
sounds so much better than "ping"
One one hand, if a genuine white hat hacker finds an exploit in a network and told the owners about it, s/he finds himself ostracized for the actions, and is threatened with legalities.
And on the other hand, what this guy tried to do was establish a "business relationship" -- notice that he did try to contact them first with the offer to help them:
The e-mail also offered to establish an unspecified business relationship between the sender and Best Buy, adding: "Without your response, we are obligated to share the security hole with the public for their protection. As a result, Best Buy may experience a loss in business, thefts and lawsuits."
Ofcourse, once he noticed he wasn't getting anywhere, he decided to resort to good ole' blackmail.
Honestly, this was bound to happen some day or the other. When legitimate security people point out bugs and holes, they get treated like scum and are threatened with law suits. So whats the best thing to to? Threaten the companies with money. Even if 0.1% of the companies gave in, it still is a way of making money.
Good, atleast this way companies will be more careful about protecting data.
Fancy name for a web bug perhaps? Maybe not, otherwise we'd say Microsoft crowing how lack of security in Outlook Express is useful...
Hmm, sounds like a fancy name for a computer expert. All you have to do is read the SMTP headers in most email and it will reveal the sender's IP. Just trace it back down the line of servers through which the email was routed, and you get back to the original IP address.
If the sender is spoofing headers, however, this becomes more difficult. Why not just subpoena the ISP for their email data? Doesn't the server keep a log of what IP addresses sent which pieces of email?
For example:
Received: from [65.119.30.157] (helo=SMTP.magnellmail.net)
by snoopy-bak.runbox.com with smtp (Exim 4.24)
id 1Ae9TJ-0006F6-B0
for xxxxxxxx@runbox.com; Wed, 07 Jan 2004 09:55:25 +0100
Received: from mail pickup service by E1SSL2 with Microsoft SMTPSVC;
Wed, 7 Jan 2004 00:56:48 -0800
The above shows that someone at 65.119.30.157 sent this email. It went through their mail server (magnellmail.net) to runbox, my provider. From there, Runbox directed it to my Inbox when I opened Outlook.
There is also a very unique message ID at the end of the headers section:
Message-ID: [E1SSL23ZpEVmkWFBXZG000011b9@E1SSL2]
Could this be used by the Email provider to find out who sent emails, if the IP address is missing or spoofed?
Homestarrunner.net -- It's Dot Com!
I did domething similar once. I put a tiny transparent image URL in a letter to try to get the IP address of someone. Then I monitored the server logs where the image was hosted.
"God fights on the side with the best artillery." - Napoleon, Marshal of France - speaking truth to power
Sounds more like a html based email, accessing some type of a remote object..
:)
Seems the govn't has a new name for an old technique spammers used years ago to verify read mail.
I respect our govern't, but how many agents does it take to market old techniques
Is it when he offered a "business relation" in exchange for fixing the problem? Or was it when he threatened to disclose the flaw? Or was it merely because he wanted money in return?
Had he just disclosed the flaw, would he more or less a criminal, ethically and legally speaking? It seems that worse would have come if he had simply published the flaw right away.
Was he justified in asking for compensation for his findings? If not, this seems to obligate us to "work for free" when discovering such a security problem.
What do others here think?
This is just a case of bad journalism. Of course, there are many methods of getting the IP of the receiver of an email The most common is a webbug (a link to an image on a server you control), but that requires for the culprit to use a mail client that renders HTML.
"Internet Protocol Address Verifyer" sounds like something you'd find in a Movie OS. Of course, like all other buzz words, the name is not related to the alledged function.
They either used a webbug, og checked the IP in the header of the mail he sent with his claim.
...probably using an outlook bug...
Personally, Why isn't technology like this being adapted to fight SPAM. Maybe the FBI is trying to keep tools like this under wraps so they can continue to use it against people, rather than knowledge of its existance being a deterrent... double-edged-sword i guess. I'm honestly curious how serious the extortionists were... The scheme sounds very half-hatched to me...
~~~ SCO sued me because I printed this t-shirt with a Linux driven printer...
They got a warrant BEFORE they used the program. Whatever the program did - read information from his PC or just return IP address - it was a valid, legal search. We should be considering this a victory for our rights. The only way I can see anyone complaining about this is if the warrant was improperly obtained, but it seems entirely reasonable to "search" the email address that has been attempting blackmail.
easier way than checking the server logs for the image loading is to write a simple php script that makes a transparent gif/png. Then use the php script as the src of the img tag and 'do stuff' with that. ;) not sure if you would be able to extract the same amount of info as server logs this way...hmmmm
They probably just read the mail headers as soon as he replied to the letter they sent him. From this and the time the email was sent they probably had no trouble asking his isp for the user information. Criminals are not always the smartest apples and he probably didnt even have a way to crack the website.
If he wasnt clueless he would have used a dummy email account and checked it via rental computer or at the very least a dial up account using *69 ( which can still leave your number ) and a prepaid credit card / gift card.
This guy reminds me of the old irc script kiddies who would do things from their house and wonder how they were tracked down. While anonomyzers are available it makes me wonder if he,
a. used one
b. had used a computer before
As to the FBI ip verifier i find it hard to believe they have anything more advanced then the current jscript / asp / log parsers to pull ip information.
AFIK the absolute most a email address can yeild is the ip of the server. However with the email headers im sure you can get a ip without too much trouble with a warrant.
Karma's over rated. Speak your mind.
Best Buy and the Feds are working together! So that's why I have to return 90% of the hardware I buy from Best Buy!
Make sure you turn off Message Disposition Notification in your e-mail client.
Sheesh, evil *and* a jerk. -- Jade
Internet Protocol Address Verifier? Is this Carnivore in action?"
That'll be a tiny 1x1 pixel gif embeded in a HTML e-mail called from the feds server.(AKA web bug... You cant turn off HTML in M$ LookOut and this dude dosent sound very clued up)
Presto, the feds know who opend the mail how long they looked at it etc etc etc.
A top tip (tm) is to embed a web bug in a job aplication e-mail. Its interseting to watch your aplication being pushed around various departments and see who actually reads it.
Anyone quoted by a reporter knows how little they understand
Don't believe what you read is the truth.
the Internet Protocol Address verifier get into the hands of the RIAA.. we would not want more 12 yr olds and college students being fined ridiculous amounts, would we? :D
|/________
|\A|ALYS|
Over here there is a Congressional Statement of what Carnivor "officialy" does, or is "allowed" to do. One paragraph of this statement:
Carnivore is a very effective and discriminating special purpose electronic surveillance system. Carnivore is a filtering tool which the FBI has developed to carefully, precisely, and lawfully conduct electronic surveillance of electronic communications occurring over computer networks. In particular, it enables the FBI, in compliance with the Constitution and the Federal electronic surveillance laws, to properly conduct both full communications' content interceptions and pen register and trap and trace investigations to acquire addressing information.
gives us the gist of it. So yes this very well be Carnivore in action.
"It usualy starts with some screaming. Afterwards there is much running around."
It contained a program that automatically sent back a response to Best Buy after the company sent a message to the e-mail address.
So I think it's safe to assume that (1) Ray Sixpack was running Windows and (2) Feds have the right to create and use email viruses legally.
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
I guess the lesson we can learn here is that if you are going to extort, use a webmail service like yahoo. (unless it really was carnivore in action, then who knows if it would help)
This is the first time google has heard about it as well, apparently.
I'm much more concerned that their cash registers use WiFi without a lick of encryption... I read several stories a while back about people sitting out in the parking lot with sniffers, capturing credit card information...
When you find a bug, no matter how serious with someone's system, publish it. Why do I speak such insanity? I reverse engineer hardware and some software for fun, if I find a bug I'll report it because I'm a nice person and I'd like it to get fixed. I understand that our society works only because the black caps have realized when they found a doomsday bug that implementing it would mean they turn society into hell and they'de be right in the middle of it. I'd like to make a difference and help to defend myself by helping others out, this is how I convince selfish self to help others.
So, since you don't want to treat me with respect like I treat you with respect, from now on I won't be nice or treat you with respect. I'll publish your flaws for all to see. It can be as big a publication as slashdot or bugtraq, or as small a publication as telling my friends and throwing it up on p2p.
I guess we'll have to teach them what happens when they treat us with no respect. This is a decision every white cap has to make for themselves.
I for one, am done playing the part of the nice martyr. The day I get arrested and incarcerated for releasing information I or someone I know researched because someone doesn't like loosing money is the day we no longer live in a free country, and the day I go black cap. Believe me, I don't want it to come to that, I like my steak and potatoes and living in a nice house, but if that's where it's going I am going to defend my hobby.
Candy-Coated Knowledge
Even there may be something that may trace from wich (IP) address an event happened (thou I completely agree with the 1x1 gif idea) . I don't see how it may prove something in court.
What if the email was send (the smtp server was invoked) from a compromised computer. There are lots of win98 online with hundreds exploits ready waiting for somebody who needs an IP to do something from. What if the person uses a cascade of proxyes and shells.
I will just mention all the possibilites the iproute2 package gives to move network segments and obscure what is going on.
We should do everything possible to prevent the court system to take computer generated information (logs) as a reliable evidence, because it may be just the start of the witch hunt...
You cant turn off HTML in M$ LookOut
;-)
Oh yes you can - something I rely on to avoid spammers using the same trick!
this dude dosent sound very clued up
My thought exactly
A top tip (tm) is to embed a web bug in a job aplication e-mail. Its interseting to watch your aplication being pushed around various departments and see who actually reads it.
h eck.ins.govr rorism.dhs.org. com
Yes, it's very interesting. For example, here's the log of all the machines who accessed my web bug when applied for a job at the DHS:
frontdesk.dhs.gov
hr.dhs.gov
check.dhs.gov
c
check.irs.org
it.dhs.org
counterte
legal.dhs.org
submitsubpoena.aol
bust.usmarshals.gov
brb 2 secs, someone's at the door...
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
Anyone that reads 666 otherwise known as the hacker quarterly knows about all the problems in Best Buys network.
It even goes in depth on how to get into thier private network from a display PC.
How to find info on hiring and firing people etc.
How to order stuff and have it sent.
and few other ways of hiding yourself, as below
1. Dedicated firewalled Linux Laptop with WLAN, and changing MAC
2. WarDrive around for a unsecure internet connection.
3. Use proxies from unsecured PC's, lists available from DBL providers, or you Email server logs.
4. Setup up a web mail account, and send business proposal.
5. WarDrive to other access poiunt for continuing dialog
6. Travel around a bit to avoid setting a Wardrive pattern
I would think this would be very difficult to trace without social engineering
mailto:EatSpamAndDie@princeweb.com
For any black-mail (male?) scheme always be prepared to back it up with several remote sites with cron scripts to email the content to everyone (buy a spam CD) unless you take actions daily/weekly/etc. to prevent the mail from sending. This is so that if you get taken into custody, the whole thing is blown open, since you're fucked anyway!
Slashdot's rate-of-post filter: Preventing you from posting too many great ideas at once.
Presto, the feds know who opend the mail how long they looked at it etc etc etc.
No, they know when it was accessed, the user's IP address and the identification supplied by the mail client. They don't know how long it was looked at - HTTP doesn't hold the connection open all the time the image is on the screen.
Ydco co
Yeah but since PATRIOT, everything is a valid search...
The best way to do this would have been to use anonymous remailers and a nym address. Then you are protected from ISPs subpoenaing logs, as well as the email being encrypted and bounced around the net before it ends up in your inbox.
Those interested in finding out more about anonymous remailers should take a look at the APAS FAQ
However, were he to have the final email arriving in his Outlook, and he decrypted it with the PGP plugin, then a web bug could well have taken effect.
More likely they used some unpublished vulnerability in Outlook, possibly even one that the FBI found themselves...?
You cant make anything foolproof, they'll only invent better fools.
When I read the slashblurb my first thought was of the old AIM trick from back in the days when WinNuke still worked... the AIM hides people's IP addresses perfectly, but if you could trick someone into going to a URL you had access to the logs of, you could get their IP anyway...
P.S. your sig rocks
...iffy email then examining it with a simple mail client that won't parse any MIME or HTML
first is always a good idea. "mail" springs to mind on unix.
Yes you can switch off most features in advanced email clients but its always best to be 100% sure and since "mail" comes with ALL unix systems...
it sends the user a HTML message with a img src tag.. it records the ip address that requested the unique img src file
I guess the DTMF has changed!
Ok , thats a bit obscure but a real hacker will know what I mean.
You have to realize that we are getting our information about this incident from a NEWSPAPER, which the very least reliable source for technical topics. Remember this clueless newspaper article?
I'd say we know little about what actually happened here.
If I had found such a loophole I would set myself up as an Internet security consultant, get a business card, letterhead company, and start making urgent requests for an appointments with the board of BestBuy to discuss a matter of urgency with them. Of course you'd get brushed off for a while (all carefully logged by you) and finally end up seeing some underling. You then tell him your analysis has found a security flaw in their system and suggest them funding a project for a full analysis of their system and closing of loopholes.
If they turn you down (or turn the price down) warn them that you are publishing a paper on precisely the security hole their system possesses in the near future and warn them that certain unscrupulous hackers might try to exploit it (again all carefully documented by you).
You'd still get the cash and they'd be unable to touch you in a court of law.
You guys are forgetting that for Best Buy to be able to contact him, he'd almost certainly need to leave an email address. Unless he did so with an address hosted in a foreign country, they could have just searched his email provider's server logs and gotten his IP address that way.
(Somewhat off-topic, but a related topic, honestly)
About a month ago I discovered what could be deemed a weakness in a relatively popular online merchant's order status system, allowing anyone to view the order status for any order in the system just by changing an ID field in the URL. I often try changing such values in URLs like this for no real reason (a habit from designing my own web-based scripts), and I've never found an exploit until now.
So with a simple perl script, it would be possible to download and parse the mailing address, shipping address, items ordered, amount paid, credit type (NOT credit card type or credit card number, thankfully) and other assorted information for any given order. After some brief checking, I determined there were over five million orders viewable in this manner, going back a few years.
So what am I supposed to do? I have no interest in establishing a 'business relationship' with this online merchant, telling everyone how to do it seems like it would cause more harm than good, and I fear being ostracized or even litigated for 'hacking' if I tell the company, even if all I did was change a sequential, non-encrypted number in an URL.
Or is the information accessible not a big deal to worry about?
Imagine his surprise when he received a $2.5 million Best Buy Gift Card in the mail. Doh!
Keep your Bush '04 t-shirt on, mate. We're discussing the technology, not the legality.
:)
Anyway, since PATRIOT, you have at least one less right to be victorious over.
USA! USA! USA! GO TEAM!
I imagine that yep, this person isn't savvy enough to not use html email, and they slipped a web bug into the email. Hell I'd try it just on the off chance, and it looks like it paid off for your Feds that time...
I've had one case where a friend and I were writing a boobytrapped shell on a Linux box, to use as the login shell for a suspected system cracker, and he logged in, saw the new shell (which we hadn't quite installed yet) and RAN THE BLOODY THING FOR US! We got all the data we needed to track him down right there and then, phoned his ISP and got him shut off on the spot.
So - yes, even the more savvy often do really really stupid things...
-- ted russ http://www.arach.net.au/~ted/mydynes/ http://www.arach.net.au/~ted/myblogs/
Only supported in Outlook 2002. Anyone done it without breaking Outlook 2000 accessing exchange server rather than POP mail?
This is not surveillance. This is just identifying the IP address of the recipient of email. Seems to me that's rather similar to using ping or whois. IP addresses and domain registrations are public, not private.
/. posts that sxeem to believe otherwise. Get over it. The Internet is not special and people don't get a free pass because they use it for criminal behavior.
It's also rather similar to your local mail carrier knowing where you live. Is that surveillance, too, or are you simply paranoid?
If Best Buy had received the same threat via snail mail, and the FBI looked at the return address on the envelope, would you be screaming about surveillance?
The Internet is not some mystical land that exists apart from reality and the law, contrary to the constant stream of silly
Next time, please think bekore exposing yourself as a paranoid llon, OK?
-- Slashdot: When Public Access TV Says "No"
Good Lord, you mean you have to use regedit to turn off HTML? I got upset with some family members because I told them to turn off HTML email for both sending and receiving. Didn't think they'd have to muck around with the registry to do this simple thing.
Every day it amazes me that people think the Internet experience on Windows is so much better than Mac or Linux. I can't browse for two minutes in IE without a bunch of popups appearing. There's no tabbed browsing. Inadvertent key presses can install stupid ClearSearch spyware. Now you show me that you need this non-intuitive procedure just to disable HTML. Amazing.
Show some proof please
Hey dumbass! If you had bothered to do even the simplest of searches, you would find out that Best Buy stopped doing this long ago.
Security people have a responsibility to tell their employers about potential vulnerabilities. They have no responsibility to compel their employees to pay attention to their advise. If that's what you're interested in, become a cop.
Blackmail is blackmail and extortion is extortion. And what you're advocating is simple vigalantism.
-- Slashdot: When Public Access TV Says "No"
without their permissions you are a criminal, both legally and morally. My stuff is my stuff and I'll thanky ou to keep your hands off it. If you wish to audit anyhting I have, physical or virtual, you'd better ask my permission first, or you'll face consequences.
This seems perfectly reasonable and there is plenty of precident in the physical world:
My house has many known security flaws. The largest would be the windows. They are easily broken with just a rock, allowing access. My door would also be a flaw, it's solid, but nothing a battering ram in experienced hands couldn't break down in a few minutes. My lock is aslo a flaw. IT's better than most, a high security lock that is much harder to pick than normal, but it still is pickable.
So, if someone breaks into my house and demands money to fix it, should I honour that? No, I'd by perfectly jsutified in holding them at gun point and calling the police to have them punished. Regardless of thier intent, it's MY house and you'd better not enter it without my permission.
It is similar for computer systems. If I pay you to hack my stuff and report on it, great. YOu are providing a valuable service and I thank you. IF you break into my stuff without my permission, you are a criminal pure and simple.
Also, demanding money ex post facto is something else we have a law against, it's called balckmail and is illegal.
Look, if you want to find flaws in stuff, do it legally. Contact the owner and ask if you may hack them. If they say no, move on. IT is not your duty or right ot mess with their stuff without permission.
If the suspect was using Outlook he was very, very stupid. Just use PINE if you want to threaten a multi-million dollar corporation.
The suspect probably would have been better off asking for a job to help fix the problems. 2.5 million is a lot of clams. If he wanted to be hard core and blackmail Best Buy he should've just asked for a 2.5 million dollar Best Buy gift card.
Good Lord, you mean you have to use regedit to turn off HTML? I got upset with some family members because I told them to turn off HTML email for both sending and receiving. Didn't think they'd have to muck around with the registry to do this simple thing.
The horrible hack is only needed to stop it displaying incoming HTML e-mails. Stopping it sending them is easier, see: Sending plain text e-mail in Outlook
Look, if you have a peice of software and you hack it on your own systems and/or network, that it leagal. You then publish teh exploit, also legal. However if you come and hack MY network without my permission, that's NOT legal.
People who illegally break into systems deserve no more respect or consideration than people who illegally break into houses. You have no right at all to enter or use other people's property without their permission. Don't pretend like because it is a computer system that makes it any better.
IT's like lock picking. IF you want to learn to pick a lock and find out its venurabilities, go right ahead. But do it on a lock you own. But the lock in question and play with it. To go to someone else's house and try on their lock without permission is illegal and immoral. You've no right to mess with their property.
So if you get asked/hired to test someone's security (physical or virtual), great. Do what you can and give them a report. If you have something you own (physical or virtual) and you discover a security flaw, great, make it known so a fix can be developed. But do NOT presume you have the right to invade the property of others. It doesn't matter if it is venurable or not, it's not yours so you keep out.
The #1 tech support issue after Office 2003 comes out:
"Where the heck are my images? Please make it act like the old Outlook."
Its good MS is doing this by default, but most users couldn't care less about security/privacy especially when it inteferes with "purty pictures."
The problem with an embedded image bug is that if the recipient views the source of the email -- and presumably this alleged extorter is a techie -- it's easy to spot such a bug, and so there's a real risk that including a bug would tip him off to the investigation.
So, it may be an HTML bug, but perhaps not...
Here's what I do: Bitty Browser & Andromeda
the dildo prolly used Outlook or outlook express or any html enabled mail reader, they put a "> and presto, you got your dumb wankers ip.
jas weghuyw edjnewi iqwnji
No... its your mom in action.
I don't think this is Carnivore in action. It's just now how it works. Carnivore is a box that would be in place at the user's ISP, not at Best Buy.
a rnivore.htm
Education:
http://computer.howstuffworks.com/c
geek n performer who performs morbid or disgusting acts, as biting off the head of a live chicken
Sound advice to be sure... However that only takes care of the first part of the problem: communicating with your business partner... Now if your business partner realizes that they do need your service how do you get the money?
Maybe I'm just sleepy, but I broke a funny fuse when I read that.
--Ryan T
What does the Department of Human Services have to do with "counterterrorism"?
There are ways to track a message even without any bugs at the receiver side.
:)
All you need is the power to inspect all machines starting at the one that was the first destination of the message (and which is pointed by the MX record for the domain that must be public).
Then just examine the POP3 (or whatever) access logs and correlate the IP address with the time the access was done. The ISP can then provide informations about who was logged in at that address at the time.
Except, of course, there are (lots of) trojaned machines acting as open proxies...
We applaud the hackers who so cleverly get around protections on technology. We had our "Free Kevin Mitnick" and "Free Dmitry" campaigns.
Here is a nice hack done for a good reason by the same law enforcement that is supposed to investigate and stop such crimes as extortion. And how do we react? Government spying! Conspiracy!
Really. That's just not very reasonable on our part.
Hot Damn! It's the Soggy Bottom Boys!
he said, as though there were another kind.
BTW, christians are just a special kind of jews, and muslims are just a special kind of christian. They all belong on a bonfire.
I've actually run into this issue a few times. The action I've taken in the past pretty much directly relates to the severity of the security flaw. For example, I've seen URL hacks which allow you to grab another customer's credit card information, and then some which allow only address information.
My rule of thumb is that if a piece of information can be obtained and tracked to a specific individual, it's dangerous. That's the rule I use in my work as well.
When I decide the situation warrants it, I send a professional, formal email to the company ( also the web admin if there is one ), stating what I found, screenshots and leave it at that. Sometimes I will point out that I intended to place an order, but halted when I saw the issue. I also let the company know they may contact me if more information is needed.
This is what has happened in the past following these emails:
1. Almost all companies send me an email thanking me and letting me know the problem has been corrected, and it has been. Case closed.
2. I get a nasty email from the company ( usually this is with SMALL operations) telling me to take my business elsewhere. At first I would attempt to politely explain the risk, but soon realized that some sites have no intention of listening to me, and gave up. In that case, I may notify the BBB or other organization just to get someone else on their tail. I don't have time to chase down other people's security holes, so the best I can hope for is to let others know.
In any case, I always use the Enron rule: What if I later had to explain my actions to a grand jury?
Everyone seems to be giving this guy credit and claiming he should have went about disclosing the flaws in a legal way. Well, no where in the article does it verify a real flaw. He offers a "a step-by-step summary of how we were able to penetrate your Web site" for $2.5 million. This implies he wasn't planning on revealing the details of the flaw until the money was in his account. So he could just be a con artist hoping to make some money off of high tech fears.
Step 2: Extortion
no problem. y'all are much more important than a handful of fraudulent softwar gangster billyonerror felons. you know that?
If you're using POP3, then yes, it will always ask you for permission to send the receipt.
If you are using an Exchange server, then the decision can be taken out of your hands, depending on the Exchange server's settings.
You cannot apply a technological solution to a sociological problem. (Edwards' Law)
No, you see; since jews are filthy per definition, a filthy jew is especially filthy. Very filthy.
But you're right, of course. Judaism, Christianity, Islam; three weeds from the same root. Exterminate them.
Ummm... No... Not if your(the consumer) credit card number gets stolen, or an expensive package you ordered gets rerouted somewhere else for a thief to pick up.
In such cases, the consumer often does a whole lot of losing before anyone else, usually.
Sticking feathers up your butt does not make you a chicken - Tyler Durden
Every day it amazes me that people think the Internet experience on Windows is so much better than Mac or Linux. I can't browse for two minutes in IE without a bunch of popups appearing.
Um, that's what the Windows version of Firebird is for. Microsoft may want you to confuse Windows and IE, but they're as separate as you want to make them.
that's right. turns out most of the US, is being held hostage buy payper liesense stock markup fraud execrable ?pr? ?firm? FUDgePackers from the redmond annex of wall street of deceit.
turns out the feds are won of the hostages themselves? lookout bullow?
Outlook 2003 has the option to both disable HTML and to disable loading of images, specifically aiming at web-bugs. Stop basing all of your opinions on 1997 era Outlook Express.
/.ers, so this will be marked as trolling.
Obviously I just defended MS against outdated and uninformed
I think you'll find this was carnivore's "chain of evidence" feature in operation, and guessing at how they verified the recipient IP won't do you much good. Remember that NSA still measure computing power in acres.
The Slashdot Paradox: "100% Overrated"
As opposed to a big company who tries to extort us to use Outlook?
My beliefs do not require that you agree with them.
Here are three ways to get on America's Dumbest:
1. Rob Taco Bell right after filling out job appication and interview. Be arrested when cops show up at your address on the application.
2. Send extortion/blackmail emails using MS-Outlook from your normal ISP account. Be busted when FBI sends email using marketing tool like Neighborhood Email or eZine Manager. FBI is too embarassed to admit they used an e-newsletter tool and come up with the "ip address verifier" device.
3. Shoplift naked. Be arrested when cop identifies the incredibly stupid butcher's meat chart tatoo when streaking through campus on a dare.
4. Keep crack pipe, crack and lighter in glove box. Be arrested when you see a billboard advising "Drug checkpoint next exit" and begin throwing crack, lighter and pipe out the window while police are video taping looking for people throwing drugs and paraphanellia out the window.
-- $G
I couldn't tell from the article that Best Buy really has a security flaw. Most everyone has assumed that this guy is some sort of "computer expert". I think this guy is full of shit. "Give me 2.5 million or else."
"Give a woman two glasses of wine and some pad thai, and they'll agree to just about anything." the Sports Guy
Why did he not request a post on a News group in a Bible group, and respond as Job ????
Feds. What is it all about... is it good, or is it whack?
We need as big and powerful of a government as possible. Higher taxes, more police, more spyware, more surveillance. Thats the whole goal the republican party isnt it? Well Mission Accomplished. Next time I'm voting Libertarian (Ex-Republican)
People don't exist to serve systems, systems exist to serve people.
Everybody applying for a government job goes through a counterterrorism check. I wanted to get a part-time job at the local Secretary of State office. All I would do is sit there and take driver's license pictures and hand them to the lady who entered the information into the computer. However, they decided I was a potential terrorist. Apparantly, I'm safe enough to go out and buy a gun, watch people's children or pets, or even substitute teach in an elementary school, but I'm too dangerous to take driver's license photos.
It's not smart, or correct, but that's just the way it is.
Can we use it to trace and arrest those bastards that send out 'pay us $699 for Linux' extortion letters?
Not true. I just tried this in Outlook 2003.
0 \O utlook\Options\Mail
Only difference is a slight change in the reg key.
HKEY_CURRENT_USER\Software\Microsoft\Office\11.
Add ReadAsPlain as a DWORD. Set to 1.
Viola! No more html in Outlook 2003.
The change is the 11. For 2000 it is 10.
Anyone know what version # previous versions use?
for a new keyboard - i was happily drinking my milk and reading /. when as I made my way across yours post, inexplicably it all came out gushing through my nose -
Isnt that what we wanted when we voted for Bush instead of Mccain?
People don't exist to serve systems, systems exist to serve people.
They insert a 'special' serial binary stream - one that can be imbedded in pictures (child porn), email, Warez, illegal MP3s - you name it. They then have a special listener installed at the majority of all ISPs - whenever this special stream comes through a (logical) wire it logs the IPs, logon info etc. Very efficient, very secure, very accurate.
Actually, I just made all this up, but now that I mention it, does anyone think they're are getting away with anything anymore?
slashdot troll = you make a compelling argument I do not like the implications of.
Outlook 2003 has the option to both disable HTML and to disable loading of images, specifically aiming at web-bugs. Stop basing all of your opinions on 1997 era Outlook Express.
/.ers, so this will be marked as trolling.
My opinions? I was simply correcting a FACT that the original poster got wrong. Where exactly did I say it wasn't possible?
The example solution was one I found on the web, and also for the most commonly used versions of Outlook. A small percentage of users have Outlook 2003, which already supports the feature, as you said yourself.
Obviously I just defended MS against outdated and uninformed
Nah, it's more likely to be your wild accusations (see above) that will get you marked as a troll.
The way they could trace it would be:
a) return receipt
b) html e-mail with a transparent pixel or some other image that's hosted on a machine from which they can read the webserver logs.
So much for the big brother.
My guess is a tiny java app that when opened connected to a best buy computer. So matter how many email aliases and remailer the guy used the recieving computer revieled the final connection the guy read the email from.
It attempts to be a reasonable proof that the email was read on that computer. It's something clever enough that that might be able to extract a confession if he's an idiot that doesn't know enough to shut his mouth and sit in a cell. But it's still not good enough to thwart a hacker defence.
It would be trivial to prove it's reasonable that a hacker might be clever enough to detect this and use it to frame someone else to elude detection. Anyone smart knows you have to have a backup fall guy.
If that is really the guy he's stupid for doing it within the US. Extortions like this actually occur all the time but mostly from abroad and by organized crime. It happens so much that is why the FBI are involved.
Say what you want about Microsoft, Outlook 2003 is pretty darn good. It has a great junk mail filter, and it, by default, blocks beaconing. No email is allowed to access the internet when being read, unless you specifically allow it to. Maybe this guy wouldn't have been caught if he had something like this setup.
-ted
It's probably been said, but just send an HTML message to the recipient with an embedded image reference, check your Web server logs for a hit, and you probably have the IP address (of course you can avoid being a victim of this, but in my experience most folks don't, even "security experts").
I read somewhere that this is one method spammers use to verify valid e-mail addresses.
This is another reason I like reading /. You guys give me a good whack on the side of the head on nearly a daily basis.
.gif files where a server-side plugin can compare the requested .gif to a known email and verify "yep - that addy is active" - even when most people ignore the unsubscribe links.
I read this and was foolishly thinking (probably like many do) that "oh, if I don't download an attachment and execute it there really is no danger. I mean really, if I don't "run" anything, how would anyone know?"
Silly wabbit is right. It's another case myself of not being able to see the forest for the trees.
I guess ANY HTML email can be malicious in a sense that it can snarf info if it actually interprets and points you to ANY website when you read it in its rendered state.
Talk about eye opening. I'll bet 90% of the general public don't actually realize this can easily be done for targeting purposes. With this in mind it's probably not hard (and don't flame me for not knowing this guys) but targeted spam in order to verify addresses could point to "specially coded"
"The aspects of things that are most important to us are hidden because of their simplicity and familiarity" - Ludwig Wittgenstein
Never have a philosophy which supports a lack of courage
Interestingly, the article does not mention if there was an actual security flaw or if they fixed it. I would guess that in the process of arresting this idiot they confiscated his computer and can see what tools he was using. If he was very "professional" about his demands he might have had the document describing the exploit all ready to go, so he could send it to them as soon as the $2.5 million showed up in his bank account.
So was there an exploit? This is some pretty shoddy reporting if they are going to simply trumpet what the FBI did without investigating whether this guy posed a serious threat or not.
Lasers Controlled Games!
Dude, that was awesome, thank you :)
Yeah I feel real sorry for this extortionist losing his personal freedoms. How dare the government impinge on his right to break the law.
No law prevents putting an image in a HTML e-mail YTC !
The fact the image happens to be served from a server for which I have access to the logs is irelevent. Many people include a photo (as oposed to a 1x1 gif) in a job aplication mail. This image could easily be delivered from a remote server (under your controal) rather than be attached to the e-mail. After all, the remote machine requested that image! (since the user runs a HTML enabled mail client)
Please think before posting !
Anyone quoted by a reporter knows how little they understand
Don't believe what you read is the truth.
There's no indication that they got a warrant in the news articles. What possibly makes you think they had one? Have you ever *tried* to get subpoenas or warrants for electronic crimes?
It ain't trivial. What got this guy pursued was the actual money, in particular wire fraud. The Secret Service does not like wire fraud....
Thankfully, no company has yet exercised option 3: prosecute you for computer crime. It doesn't matter if they don't have a case or what laws are on your side -- they have the money, power, and desire to utterly ruin your life regardless.
These people market and sell a product they probably know is shoddy. What makes you think they'd have the moral fibre or restraint to refrain from shooting the messenger? You can't trust their software, what makes you think you can trust them?
I've finally had it: until slashdot gets article moderation, I am not coming back.
This stuff happens every day.. you get a warrant , you start investigation and you catch criminals ( you hope )
With a warrant you can do all sorts of invasive things, such as wiretaps, hidden cameras, borderline entrapment stings.. whatever the judge approves...
Just normally it doesn't reach the news, as its really not news worthy...
---- Booth was a patriot ----
He did try to get a job (or something like that) to help fix the problem. They didn't go for that; the blackmail was plan B. Neither plan was really very good.
Not if you make the bug auto reload.
Just a line of html
Is there, or should there be, a single, publicly known, media-like organization that is the central entity for this kind of thing?
If I find a security flaw in someone's system, I send all of the details to this group. Then they alert the company in question. If nothing is done, then the summary of the flaw is pubicized. Eventually the details would be publicized.
With a media-like orientation, they can at least try to protect their sources of information.
Whatever, probably a bad idea....
I have misplaced my pants.
The truth is that criminals are just like the regular population. Some are smart, some are dumb and some are just average.
More like some are smart, and the average are just dumb. I'm glad there's no IQ scale compared to some well trained chimps....
Kjella
Live today, because you never know what tomorrow brings
It's a web bug - an image or other resource requested from a BestBuy controlled server in an HTML-enabled email message. That's how spammers verify your email address without you having to hit reply. Very simple.
3. You get placed on a list of "Crackers" that the company will point to when they get breached for real and have to "defend" themselves/image/losses to their existing customers.
--
Time is on my side
Huh? This sounds like some of the stuff in the book "Digital Fortress" by Dan Brown.
Sorry, you're wrong. It uses the IE COMPONENT, not explorer.exe. It's still outlook.exe that shows up as the running program doing the fetching.
I have Norton PF set up the same way. I get ZERO images loaded from the web. Unfortunately, this doesn't help with embedded images. Still, it prevents web bugs.
Then why not put the legal power to use these ubiquitous privacy-leeching tools in the hands of "neutral" ordinary citizens, to keep tabs on both "good" and "bad" guys alike?
Let's let the people who paid for Carnivore use it to check up on the FBI, to make sure they're using it in our best interests, why not? If the citizen's right to privacy no longer exists, surely that rule cannot apply only to the "neutrals".
(And while we're at it, why not get some CCTVs focused on the members of Parliament in Britain, as well as on the CCTV operators, on a public access feed. Why not?)
I was referring to SomethingOrOther's "fact" that "you can't turn off HTML in M$ LookOut", and his "opinion" that this was what this guy had been caught by. I just replied to the wrong parent.
The Slashdot Paradox: "100% Overrated"
Applying Occam's Razor to this situation from what I can gather, the most likely explanation is that the extortionist was using a program that automatically rendered HTML mail. The FBI sent an email message to the suspected extortionist with the intent that his mail reader would then request a file (e.g., a JPEG) from the network. When that happened, it would have been immediately obvious what the extortionist's IP address was, because he would be the only one who has the URL.
...even if he could spoof some email headers. Don't be so sure "he" can, only that he had some kind of tool to do it. Think script kiddie-style. Even if you have no skillz to code a tool, it doesn't take much to use it.
Still, even if he had some sense of online security, it'd be a bad idea. While I am perfectly capable of hiding my online tracks, they could always follow the money trail. Unless you want to go down the mafia route with 2,5M$ in small, unmarked bills in a suitcase.
Kjella
Live today, because you never know what tomorrow brings
How much of a threat could this guy have been? He uses Outlook for his e-mail. Anyone with even a modest knowledge of computer security would steer clear of this program. How much of a threat could he have been? Sounds like one clueless user inventing a hoax to get money out of another clueless user.
Fred
"A fool and his freedom are soon parted"
-RMS
I once saw a a great new stary about dishonest automechanics. They interviewed one of the very rare people who actually got busted for it. He said he couldn't understand why anybody would be a drug dealer when he could be a dishonest automechanic instead. The money's just as good, nobody shoots at you, and hardly anyone ever gets caught. (Except him, of course, but I still think he's accurate.)
I've found that my posts don't format quite right w/o a sig.
Give this a few weeks to fester. I bet that Ray's computer was hijacked and used to send the e-mail. Something like 9 of 10 cases turns out that they nabbed the wrong person after finding a rootkit or worm running on a unsuspecting windows user.
My friends and I used the same image trick to grab an IP for someone who was sending illicit and harassing e-mails to my sister. What made it even freakier was that this person knew information about her (like what clothes she wore to school etc.) Turned out to be some clown who went to her school in Oklahoma and moved to Michigan. As soon as we tracked down the ISP that was handing out his specific IP, they were more than willing to turn over the user's name(especially since my sister was a minor, ISPs tend to take anything involving minors very seriously and won't hesistate to give up customer information then, I mean, we weren't the cops or anything).
You believe the crap you just wrote? I know of at least 3 ways to remotely flip that little switch and do anything I want with any 2003 Outlook loser -- or their entire computer for that matter. All from a inbound email.
Enjoy your Windows crap. Sucker.
I'm using Outlook 2000 at work, and it calls Mozilla when I click on a link. J.
You're only jealous cos the little penguins are talking to me.
Pain lasts, kid. Its how you know you're alive. Sometimes I think this growing up thing is just pain management-TheMaxx
He mentioned webmail.. which would be difficult to read using pine or elm or mutt or outlook or kmail or any other mailclient...
I would rather have some guy off the street spying on me than the goverment
Ummm, can't they both just leave me alone? You make it an either/or choice. I wish it was that simple. Sometimes the government has to spy on innocent people. I hate that, but I know it is neccessary. And sometimes the guy in the street is harmless, but just curious.
I think we should stop telling companies about security vulnerabilities. This is only partly tongue in cheek; I think they've abused our trust in the last four years, selling tech jobs overseas et cetera, and I think perhaps it's time they realized what side their bread is buttered on.
Intolerance for ambiguity is the mark of the authoritarian personality.
How did this guy think he can get the money from best buy? in small unmarked bills?
-joe
For the love of god, it's been four hours and no new articles!!
...if any of those tracking tools would work against someone who only reads their Email with MUTT on a text console? Heck, even when people send me legitimate attachments, I have to save them to look at them (no X client). It sucks less.
Hands down the funniest post on /. ever.
Interesting idea. I wonder how to get per-process firewall functionality on Linux.
phase 1) send extortion mail spoofed as the original posters address, bounced through atleast 5 countris(preferably ones that don't get along with US very well), proxies or even FTPs would work fine.
phase 2) ???
phase 3) Profit!
Pain lasts, kid. Its how you know you're alive. Sometimes I think this growing up thing is just pain management-TheMaxx
if it was your ass being extorted for $2.5mil that you would be begging your friendly neighbourhood FBI agent to help find the perp.
This is a central tenet of the DMCA.
This seems perfectly reasonable and there is plenty of precident in the physical world: My house has many known security flaws. The largest would be the windows. They are easily broken with just a rock, allowing access.
There's an important flaw in this analogy. In the case of BestBuy's servers, there was (at least the pretext of) the public's security at stake. In the case of your house, there's no "public good" at stake, making it reasonable to presume that the motivation of a person breaking in would be to rob you or do some other outright harm.
I'm not saying the guy who communicated with BestBuy is an angel. His attempt to remain anonymous is IMO evidence of bad faith. But if he'd been forthright about his identity, and had described a less jarring publicizing method than revealing the customer data, I think it'd be arguable that he was looking to supply a public good at a price. If I was a BestBuy customer and there was a serious security flaw in their server that compromised me, I would certainly want it fixed, even if that was instrumented by an interloper who did it for selfish financial reasons (limits withstanding on the financial reward). This is a major problem with the DMCA, which inhibits the open discussion of such flaws.
- First they ignore you, then they laugh at you, then ???, then profit.
Didn't anyone else think that maybe just asking the reporter would do the trick? His email address is right at the bottom of the article.
<sarcasm> oh wait - this is slashdot right - only two people actually read the article. </sarcasm>
I emailed Mr. David Phelps asking what an "Internet Protocol Address Verifier" was and his brief reply was the following.
"it's commonly referred to as a web bug. i used the term as contained in the government's search warrant."
So while the theorizing here did come up with that as a possibility - it also came up with lots of other BS.
Now the bizarre thing is that the feds used such a wierd term. Then again to a judge or lawyer the term "web bug" probably seems pretty bizarre.
I'd rather (and the law requires) you to stop at about the point you notice the hole in my foundation. If you choose to knock on my door and tell me about it, that'd be nice, but is not required.
Crawling into my basement is trespassing at least, and I suspect the DA could make a case for B&E
I'm too dangerous to take driver's license photos.
Not that I think you're a potential terrorist... but access to blank licenses could be very useful to all sorts of shadowy types, and I'd hope that "the authorities" would be pretty paranoid when appointing people to positions with easy access to them.
Not knocking pine, mutt, or elm, but you can't connect to Mail.Yahoo.com with those unless you've paid for POP access and set up fetchmail if those don't use POP themselves. (I don't know for sure, I've never used them.)
After using many other email clients, I still prefer Outlook. But, I don't know sneaky stuff like web bugs. So, if you want to read your email in the preview pane and not open it, you can prevent web bugs (and any other autolaunched filetypes) using the Chilton Preview. I have used it for years, currently with Outlook 2000. I don't know if it works with Outlook XP or 2003. You can find it here, and it's free (as in beer.) http://www.geocities.com/SiliconValley/Peaks/8392/
I bet he was just trying to get his rebate money from them.
-------- This space intentionally left blank --------
...is just the world's most expensive filter...from what I understand, it just sits at someone's ISP and collects all of their traffic. Aside from the fact that it can rape thousands of people's privacy at once, it's really nothing to be impressed with...when you're trying to get a specific person's data traditional hacking techniques are still the way to go.
But there is another kind of evil that we must fear most... and that is the indifference of good men.
So, your telling me that this guy was smart enough to find a flaw in Best Buys website, but was stupid enough to get himself nabbed by a 1x1 transparent bitmap...
Something tells me, this guy was a idiot. He didn't find any flaw, he was just trying to extort money on some baseless claim.
Well, we know one person's ass that'll be getting banged like a screen door in a hurricane!
Yes Francis, the world has gone crazy.
"I've been thinking about throwing an extension together for Thunderbird with that feature... I really should do that."
Great idea.
And, to all those who are ignoring the political implications of having a government that does world-wide surveillance in secret and without controls or accountability, or even financial accountability, I suggest you consider the issue more carefully.
"In that case, I may notify the BBB"
Which will do exactly *nothing*.
If someone gets out of their car and accidentally leaves the key in the ignition, you would still be charged with GTA if you drove off with it. Just because someone left their grill out on the front porch doesn't mean you have a right to cook dinner on it. Just because someone leaves a bicycle leaning against the garage, or even down at the corner store, doesn't mean you have the right to hop on it and take a ride.
Just because someone's got stuff out where other people have access to it doesn't mean it's totally up for grabs or that they've given up their property rights to it.
Hokey statistics and ancient misconceptions are no match for a good thought in your head, kid!
Didn't you notice the new subpoenaless powers just given to federal authorities in December?
Do you have any idea how much power has been taken away from the Judiciary in the past three years, and been given to the Executive branch?
Have you not noticed the new redistricting, combining Dem districts, and splitting Repub districts? Greatly reducing Dem numbers in Congress? The normal 10-year (agreed) redistricting was re-redistricted after elections that gave Repubs control -- it's a Tom DeLay program. One redistricted precinct in PA was actually shaped like a finger pointing at the home of a Dem congressman. Regardless of your views, do you think a monopoly is the best system? Depending on one source for your food/car/job/news/govt/etc? Because that's where we're going now at breakneck speed, Bucko.
Are you not aware that Gen. Tommy Franks recently said that in the case of another major attack, the Constitution may have to be suspended. So who decides? Hasn't America been through some pretty tough times without suspending the Constitution? Do you have any idea what all of this really means?! Surely you haven't actually thought this through.
There has recently been historic undermining of the US Constitution, intentionally promulgated by the ruling Party, which is bringing us to dictatorship.
You can't cover this up with charges of "paranoia".
Campaign finance reform is national security.
I have the hacking skills to crack every password on Slashdot. Please send me 2.5 million dollars worth of slashdot subscription or else you will be owned!
You cannot find me, I am too smart open up html e-mails.
I will be in contact again at that point you will bow down to me.
Sincerly,
ANonyMous CowArd.
Yes, but assuming they cared about how long the email was loaded on his machine, they could have configured the server to send a Refresh header with the image instructing the client to reload it every second. Then they just check the logs. I'm not sure if Outlook supports that, but don't most Windows email clients use MSIE to render the HTML? It would probably work. There are probably other ways as well -- maybe Outlook supports the "onunload" trigger in the HTML body. (God, I hope not.)
* And remember, it's spelled N-e-t-s-c-a-p-e, but it's pronounced "Mozilla."
Unless the guy clicked on a link on the BestBuy website, and found himself browsing through their credit card database, your analogy of a filing cabinet full of client records sitting in the parking lot is not even remotely valid as a comparison.
He had to actively attempt to break into the website (physical premises), to gain access to the credit card data. ie, prowling around the premises after dark checking the doors and windows, and finding one open, climbing inside and sneaking into the manager's office, before he went rifling through the customer records.
So what the hell is submitsubpoena.aol.com?
I've found crimes that I could commit that would result in a couple million dollars payout, but would result in me leaving the country and being on the run. I think I could do it, but I also think that the life style would be uncomfortable at best. (I have a wife, kids, close family, friends, and toys that I'd have to leave behind.)
I am well on my way to making the couple million I would have stolen (spending along the way, so I will miss the one time big pile 'o money) with a comfortable, respectable life style not on the run from authorities.
I see in the paper guys going to jail for robbing a video store. Is jail worth a couple hundred bucks?! The risk/reward is lousy for theft. I don't understand what they ar thinking.
Joe
Joe Batt Solid Design
So if your company provides web access via a proxy server, and you don't configure your email client (e.g. Outlook) to use the proxy server, then the email client only connects to the mail server.
"We can't solve problems by using the same kind of thinking we used when we created them." -- Albert Einstein
Best Buy should have gotten a service plan on their servers. If they expected an exploit, they could have brought it into their technicians for a "cleaning".
A truly altruistic extortionist would have asked them to revise their policy on stalking customers and trying to sell the god damn kitchen sink when I'm just trying to buy your ubder-discounted laptop and rob you of any respectable margins.
put another way, if you're smart enough to get away with murder you'll realize that murdering the target won't do very much for you. So you won't carry it out.
The most dangerous people are angry and have poor impulse control. Beware the man with the hair trigger temper...
The principle of common wiretaps is as it has always been. Warrant first, wiretap later. Carnivore reverses this, it's wiretap first, warrant later. Or better yet - warrant based on what Carnivore finds (flagged words etc.) Which is as good as no warrant at all.
They don't need the manpower to follow you everywhere. The information is gathered *for* them by all sorts of other sources, in this case your ISP and its hook-up to Carnivore. It's got capabilities of a mass invasion of privacy that is unlike anything your common criminal, the KGB or even the mind of George Orwell had when writing 1984.
The entire "the criminals can do it, then the government should too" is plain old silly. So there are criminals selling drugs. Should the government start selling ectasy and heroin too, then? Or break into peoples houses? Or peddle kiddie porn? Or whatever else criminals do?
I actually expect the government to let me have some privacy until there's reasonable cause for the opposite (aka a warrant). We have a name for those governments that would like to have total knowledge and control over what their citizens do - we call them totalitarian regimes. You do want to live in one? I don't.
Kjella
Live today, because you never know what tomorrow brings
1. Always anonymize. It's cheap, trustworthy, and it works. www.anonymizer.com is my anonymizer of choice, but choose your own.
2. Disable all HTML features in your mail reader. Of course, if you're truly anonymized, that won't matter anyways.
Seriously, its darned easy to not get caught online these days. I do it as a matter of course; I have a right to privacy in my online transactions, and anonymizer is an easy way to ensure that this privacy is never breached. But, when you're breaking the law, you should be damned sure its untraceable...
I am disrespectful to dirt! Can you see that I am serious?!
I for one, welcome our new FBI overlords!
Actually, I had no access to blank license. Nor does anybody working in a Michigan Sec. of State office. In fact, only a few there have access to temp licenses, which are only valid with a state stamp (applied by the elected official in the back office) or with a punched full license stapled to it.
All I had access to were sheets of grainy photo paper and a camera the size of a small station wagon. The person behind me, who entered data into the computers to send to Lansing (the only place where the licenses are actually printed - and they never exist "blank", unless you count the white sheets of plastic with the magnetic strip on them. The picture, all the information,the graphics, the state seal hologram, the picutre of the Mackinac bridge, and even the blank organ donor form on the back are all printed, and the magnetic strip programmed, at once. Without being printed, the blank license could just as easily be a blank student ID, a blank credit card, or one of those filler cards they use to make wallets stand up in the display cases.
Pardon me if I do not sympathize with this guy who can spoof his e-mail address, but can't tell Outlook (I assume) to not display HTML. If he had just sent them a polite note that said "this is broke, here's how I discovered it, what it does, etc., here is how to fix it", then I think the community could be outraged. This is nothing more than a common criminal act. Just because it was tech-related does not make it more romantic or noble. And while you may not agree with the technology, which sounds about as mysterious as spyware, it served its intended purpose this time, in the future who knows though.
I hate sigs.
Yeah sure, "Internet device known as an Internet Protocol Address Verifier"
How much you want to bet this super dooper secret tool just creates an HTML message with an inline 1x1 gif/png/jpg image hidden in the body that makes a call to a webserver somewhere to download it.
This is what the spammers do to verify that people read their messages, and this is what I know some mailing list managers do in order to see if their postings actually get read.
Obviously doesn't help if you don't use something like Outlook or OE, but would work on most of the people out there.
Brielle
FBI Files and COPS tend not to show you cases where the perpetrator outwitted ... the police
One of my favorite episodes of COPS takes place right here in Dallas. The officers see a suspicious vehicle -- a car with its window missing and steering wheel busted. They turn on the lights, the perp guns it and takes off.
Typically, there are two outcomes: the cops catch up, or the perp gets to the highway or otherwise makes it too dangerous to catch him. This guy looked like he was heading directly for option 1, going around in circles in a neighborhood just south of downtown.
But somehow, he pulled a fast one. After the second time they rolled across a vacant lot, the car just disappeared. The cops spent a while poking around a couple of apartment complexes before deciding they'd lost him.
My favorite COPS episode, though, has got to be this one.
Stressed? Me? Of course not. Stress is what a rubber band feels before it breaks, silly.
They wont do a thing when Best Buy extorts the hell outta me! Extended warranty my ass!
Yeah, I watched Contact on TV last night too.
...the extended warranty to be a form of extortion.
Ads say someone could steal your identity and you'll have no idea they did unless you pay $60 for their credit alert system that notifies you of changes on your credit report. Thats real extortion, credit agencies sell your info which then in turn used against you but the only way to protect yourself is buy service from them. Seriously what did this guy really do? He claimed to find a bug in bestbuy's system. And asked for money otherwise he would make it public. Is that so wrong? Hell to get off DMA mailing list I have to pay, either online with $ payment or by mail cost of the stamp and envelope and my time. They'll keep filling up your mailbox with their junk till you pay. Or phone companies that sell you antitelemarketer service, they are ones selling your phone number to the telemarketers. Or new cars now adays that have check engine light and annoying beep that comes on when you need to change your oil, if you change it yourself, the light still comes on, you need to take it to the dealer for them to reset the ECU.
Have you ever been to a turkish prison?
I have financial information for several family members in my home. And the security of my home is a concern to everyone in my family (for many reasons). Does this mean that someone can search for a hide-a-key, and threaten to use one if found?
The fact that some people bring their work home, does not mean that they no longer are in a home.
Squirrelmail defaults to not showing linked images. If there are any, it has a link at the bottom "display unsafe images". I like it!
brb 2 secs, someone's at the door...
It's the dog.
I think I need to add something here. I have already done this several times without fear of prosecution. Prosecution? Please. There are buildings full of attorneys that would LOVE to get my case if somebody came after me for making a legitmate consumer complaint. Me, a small customer, tries to place an order on Big Company's website and, being a computer professional, notice it's insecure; I notify the company and they would try to prosecute me? That's not only silly, it's incredibly bad business. That just takes a non-issue and puts it on CNN or 60 Minutes. This isn't like cracking the encryption on a DVD or hacking through a firewall. This is a legitimate consumer complaint. Believing that Big Company is going to try and pin me as a cracker would take more resources ( and more problems when people actually DO get hacked ) than trying to extinguish me. I'm much more concerned they'll just ignore the problem.
The reason I have no fear is documentation. I have full records of everything I've done and did not do. I have every email I've sent. Other organizations also have records. I've told them ( the company) how to contact me if needed. What kind of 'cracker' prosecution is going to hold up against that? I've worked in corporate management before, and documentation is the most difficult thing to combat. Look at the case with SCO. If SCO can't produce evidence against IBM, their case is done. Period. That's documentation in action ( or lack of it in action, more than likely. )
Don't give me a bunch of case histories about companies crushing the individual. It happens, but I'm pretty confident that those individuals were fighting the company in some form. I'm not, and as I said, I turn the information over to other organizations ( FBI, SBI, whatever. ). You can toss out paranoid ideas all you want. I'm speaking from experience. I've done this at least a dozen times.
Most companies are aware there are "white hats" as well as "black hats", because most companies have tech people on their own staffs. What terrifies big companies is NOT that someone is going to blackmail them. Anyone who tries that WILL GET CAUGHT. What actually scares the heck out of big companies is that someone will start stealing identities and credit card numbers from their warehouse AND IT WILL MAKE THE NEWS. That's their motivation, not crushing me for complaining. When you return something to Best Buy, is it their policy to hit you with a baseball bat and yell at you with a megaphone until you leave?
If you put the same bill out in a public place (say, on a public sidewalk) and then go away, and someone takes, it's probably NOT theft.
/may/ be when the police do not need a warrant.
Technically, it's either larceny or embezzlement. The money is not yours. If you pick it up intending to keep it for yourself, it's theft. If you pick it up intending to follow the law and report the missing property to the police, you have acquired possession lawfully. If you change your mind once the money is in your pocket, it's not larceny, but it is embezzlement.
Of course, that's under old common law. These days, it's simply theft. The law requires that lost or abandoned property be delivered to the authorities. If it's not claimed by its rightful owners, then you'll get the property back from the cops.
Realistically, however, no one is going to report a $20 bill to the cops, and no one is going to care. But a sack of money? Keep it and you're committing a felony.
When does a resource stop being the "property" of someone? The simplest answer is when they have no control on that resource. Another
"Finders Keepers" is not the law. Also, the law related to the fourth amendment protections against unreasonable searches and seizures (the root of the requirement to obtain search warrants in some cases) has absolutely nothing to do with the definition of property rights, and when those rights end.
Going back to the Internet and theft: Theft usually requires the taking and carrying away of the tangible personal property of another - so you can't really "steal" a web page. But you do need to drop the illusion that it's OK to play around with other people's stuff (homes, web pages, etc.) just because their security can be easily circumvented. I could break into most homes simply by throwing a brick through the window. This "exploit" doesn't give me the right to root around in my neighbor's homes, just because they're too stupid to have their vulnerable windows bricked over. I can photocopy a book I borrow from the library. The fact that the publisher failed to provide adequate security by printing books that can be photocopied does not make my actions legal.
144l. ph34r my 133t l3g4l 5k1lz!
The article link now takes you to a registration page, to register for StarTrib content.
Luckily, I had read it the first time before the gauntlet was dropped.
I wonder if this will become a new trend. Bait Slashdot into linking to an interesting article you have, then switch it for a subscription page.
We need a new term for the behavior - SlashBS - Slashdot Bait & Switch.
(Really, nobody will be waiting for you when it arrives).
have you read the DMCA?
all of that is now illegal.
A blog about stuff.
For security reasons, you should already have this set, but remember to TURN OFF the Preview Pane if you don't want your messages opened up, parsed, and rendered every time you click on them. This prevents web bugs and other malicious embedded data from being run just as you look through your list of messages.
If it's for-profit but free, you're not the customer -- you're the product (e.g., the Slashdot Beta's "audience").
It all depends what kind of crime.
The Zodiac Killer was never caught, but was still extremely famous. He left encrypted messages at crime scenes, some of which the cops solved, and some of which remain unsolved to this day, even with the full attention of public cryptologists trying to crack them.
my firewall only allows Outlook to connect to one address -- my domain's mail server -- and only to two ports at that address, ports 110 and 25.
.dll), be any different from a standard request from your browser?
On Windows, I don't understand how your firewall knows that the connection is from Outlook, and not from some other app.
I would expect your firewall to see origin and destination IPs and port numbers, and the request contents. How would this web request coming from Outlook (indirectly anyway, through an Explorer
Please, share your magic.
We applaud the hackers who so cleverly get around protections on technology. We had our "Free Kevin Mitnick" and "Free Dmitry" campaigns.
I thought the "Free Kevin Mitnick" campaign was about his imprisonment without trial for several years. I don't think anyone was debating that he should have been let off without any punishment, after all he did break the law. Just that denying him trial for several years isn't really something that's done in democracies.
Dmitry Sklyarov did something perfectly legal in his own country, and got arrested for it in the US. That wasn't an issue of freeing Dmitry just because he cleverly got around protections in technology, but because he did nothing illegal in the first place, and was still locked up.
So both those cases were singled out not due to anything clever on behalf of the hackers (in both senses of the word) involved, but because their human rights were infringed.
Here is a nice hack done for a good reason by the same law enforcement that is supposed to investigate and stop such crimes as extortion. And how do we react? Government spying! Conspiracy!
So the first campaigns you mention came to public attention because of obvious infrigement of rights. This latest FBI case deals with the same thing. If someone is concerned about human rights in the US, then of course he or she would be angry at the treatment of Mitnick and Sklyarov, and of course he or she would be suspicious of the FBI tracking emails.
Right or wrong, this isn't a double standard at all. It's just two sides of the same coin.
However, it seems like it was just a web bug, and the FBI had a warrent, so I doubt anyone seriously has any problem with that. But can you honestly blame people for being suspicious, especially considering the PATRIOT act and Carnivore?
Why is it when other companies do this, it's called "consulting," but when some person does it it's called "extortion".
--
Adobe's anti-counterfeiting softw
I submit the following under the GPL (see http://www.gnu.org):
/var/spool/mail | grep [0-9]+\.[0-9]+.[0-9]+.[0-9]
;)
Unix version 0.1:
grep -i "recieved from:"
Windows Version 0.1:
Save the e-mail message you get back from the perpetrator to a *.eml file and then use Notepad to find "recieved from:"
Un-news
It's the trunk tone or whatever...I don't think switches that work that way are in use in many places anymore...
Blar.
ping -l 666 -n 666 special.host.at.bestbuy.com
fsckin' DUH!
Canivore for the feds? I'm starting an open source project to hold my valuable IPAV app's intellectual property and I'm going to call it Moronivore
It *is* a troll, but its clever - please mod up
I am very easy to get along with, but I don't have time to waste being nice to people who are being stupid. -Theo
I used to do this one in a while. just put an img tag that retreived from a perl script. the script logged what ip, email address (from the img url) and date. not real hard to do. The feds just had to give it a cool name tho to make it look exciting.
...that Best Buy's web site is currently inaccessible?
--- Ban humanity.
I have scanned through the comments and most are talking about using html/images to track him. What if the FBI/TLA agency is just goofing everyone? - like mechanics telling someone that their "muffler bearings" need replacing.
:)
With that in mind, what if their "Internet Protocol Address Verifier" is just turning on the "receipt/delivery notification requested" option when they sent him their outgoing email - I have mine turned on by default and I know that there are a number of people who's email servers and/or clients return a read notification to me without them really realizing it. It won't give you the client IP is every case, but it does give you various amounts of useful info.
That wouldn't necessarily be defeated by using pine, etc, etc.
One of my favorite fun uses for read notifications is to see when the evil catbert trolls from HR are pawing through the email inbox of someone in the company that got canned or left without marking all my msgs as read. The trolls don't realize it sends me a read notification as they paw through, so when I get one from a "being phased out" email account, I send an email saying:
Oh my God, so-and-so did you come back? I hope so.
Sorry that you were gone, everyone missed you.
Ugh, what a job to have, like looking through someone's pockets after the're dead...
"Women's rights. Same-sex marriage. Civil liberties. Anti-Patriot Act. Patagonia. Paper towels. Ralph Nader for President!"
That ought to set off every filter Carnivore has. Now how long will it be before the feds come?
Striking fear in the authors of godawful fanfiction, I am here, appearing in darkness, Tuxedo Jack!
I also do this, though I also include a statement that if they want to check what I did they can view the logs from x time to y time and see the URL patterns.
I usually don't get a reply, but the exploit almost always gets fixed. The only time I did get a reply was when I found out you could get into the Home Banking Administrative Interface of my Credit Union after you had logged in to your acount. When I called their tech support the guy at first said you couldn't. When I told him to log in to an account and then try it, I heard, "Ok, loggin...Oh my!"
For the most part though I follow the Enron rule as well. If I can't explain how I stumbled on it, then I don't want to have done it.
Random Musings
George Lucas's fertile imagination is so much more convincing than those ponderous, dusty history books. And you can't eat popcorn and jujubes while reading books, it gets the pages too sticky.
You're forgetting the fact that George Lucas' furtile imagination also features Natalie Portman running around in a skin-tight, midriff-bearing white shirt.
If there had been some hot grits in the last film, you would have never gotten modded up to +4 Insightful :)
Nicely written, thank you.
Off topic.
I was curious what the invisible college was all about, catchy name I guess, but my browser doesn't do flash. If there is a non-flash html entry page, can you post that?
that implements that feature.
(Think of the bandwidth to scan, and how difficult it will be to scan for all such serials in realtime. How fast can you grep for a single 8 characeter string in a file with a 3.2GHz PIV?)
Fuck Beta. Fuck Dice
What has the Department of Homeland Security have to do with "human services"?
So this just occured to me - why is this called "extortion", and what SCO is doing is called, "protecting it's intellectual property rights"?
Stop-Prism.org: Opt Out of Surveillance
Blackmail in the sense of "threatening" to do something legal unless you get paid is simply a business proposal, and should not be illegal in a just society. The "victim" can simply refuse to pay and be no worse off than if the threat had never been made.
It's hard to tell from the article if this is such a case, but I don't see any mention of anything crimnal.
Walter Block of "Defending the undefendable" fame has an article outlining the arguments.
Am I missing something obvious or shouldn't all these computer criminal masterminds be taking advantage of the countless unsecured WAPs in every city? The bottom line is that every connection you make via wire from your home can plausibly be traced so why not get a laptop, wander around the city and send out your demands from the comfort of a park bench. Let the FBI send every tracer they can think of, they'll always end up with nothing. Seems kind of worth it if you're trying to lift $2.5 million. I wouldn't be surprised if within 5 years the gov't makes a law holding all WAP owners accountable for the security of their system.
CommentBot 0.7a running with args "-module irritate,disagree -target random"
Not the bough. It's not a tree. The analogy is to a ship. When one armed ship wants to warn another ship, a common way to do it is to fire a shot across their bow (the front of the ship). This is a warning that is very difficult to ignore. Firing a warning shot across a large branch of a tree is... well... less effective.
I managed to get a hold of the source code for the internet address verifier. Here goes:
."
#!/bin/bash
usage()
{
[ "$1" ] && echo "$0: $*" >&2
echo "Usage: $0 " >&2
exit 1
}
[ "$1" ] || usage "You must supply the criminal's email address"
email=$1
domain=${email##*@}
mxname=$(host -t mx "$domain" | sed -ne 's/.* \(.*\)/\1/p')
mxaddr=$(host -t a "$mxname" | sed -ne 's/.* \(.*\)/\1/p')
netblock=$(whois "$mxaddr"|sed -ne 's/[^(]*(\([^)]*\).*/\1/p|tail -1)
netowner=$(whois "$netblock")
echo "Your next step is to issue a subpoena against the following party - probably an ISP."
echo "They need to give you the current user of the IP address $mxaddr."
echo "(This may very well point back to the same ISP)."
echo "This party, in turn, must turn over the identity of the email account
echo "$netowner"
carnivore? hell no, they could insert and then just check their weblogs...
Haven't read through all the responses yet, so my apologies if this has already been talked about, but here goes:
This so called "Internet Protocol Address Verifier" could simply be a web bug planted in the reply back to this guy. Usually web bugs manifest themselves as something like 1px x 1px linked images in the email. When you open it your system goes and gets the image from the web server under the control of the person who sent it, and then they have your IP address. Yes this theory has holes in it, like maybe the guy was http proxied, but let's face it...Guys dumb enough to try to extort money out of companies like Best Buy and don't expect the men in black to show up at their doorstep aren't the brightest bulbs in the batch. Maybe they paired the IP address in the email headers with what they got out of the web bug, sprinkled a little Carnivore on it and said "this is our guy".
Anyway, in conclusion, let's remember that this is the media we're talking about reporting on something technical. I don't doubt that Carnivore was involved in some way, but I doubt it was the only thing they used to track this guy down.
-R
I have to disagree here:
"Most companies are aware there are "white hats" as well as "black hats", because most companies have tech people on their own staffs."
If/When I tell people I am a hacker(or that I like to hack things), they always come up with response like "Arn't you afraid you will get caught?" because they think hacker is only someone breaking into banks and stealing money.(after all, to them, why else would soemone spend hours figuring a system and beating the sys admins)
Most likely, your letter be e-mail or snail, would be read by the non techy person who matters first. Be it be support person or a manager type. So there is a chance the company choses a set of action before anyone that matters(a tech person that knows) gets wind of it.
The spirit of resistance to government is so valuable on certain occasions that I wish it to be always kept alive
They may have caught the extorter, but what is to stop someone else, who may not be as "nice", from stealing user information from BestBuy.com now?
Office XP includes Outlook 2002. It's version 10.
If this was applied to a constructuon company building houses and a person knew of a flaw and threatened to tell the owner of the building being built unless u paid him to fix it.
Is it ethical to protect the faulty building constructor and possibly endanger many many people who would occupy that building or would it be ethical to expose him and name a price for fixing it.
One couldnt expect a person to fix it for free and telling of the exploit without charging would simply be stupid.
Anyone have a suggestion of how to approach a company and expect to get paid without getting racked for extortion ?
So I'm walking down the street, just looking around, and I notice your front door is open. I take a closer look and notice that you don't have a doorknob, either. I ring your doorbell, mention that you have much less security than what people would generally expect, and that I (or someone else who's qualified) can fix your problem. Have I committed any crime? I then look above your door and see that this is a business establishment, and knowing how most businesses operate, that you don't have your client files secured any more than your premises (not a stretch in both the physical or computer world). So I mention that I'll be driving by in a month or so, and if the door is still wide open, and the doorknob is still missing, that I'll go to some place where your clients frequent and put up a notice about your shoddy practices. Is there any crime in that?
Phrased in that manner, what you are doing is not illegal. But if, instead, you ring my doorbell and say 'You've got a problem with you security here, pal. Pay me money and I'll tell you what it is. Oh, and if you don't, I'll tell everyone passing by for FREE!" then, yes. You have done something illegal.
fs
damn-near strip searching 90 year old grandmothers That is a horrible visual...
It's not called Carnivore anymore. It's called DCS 1000 now. And it's not as sophisticated as people want to believe. It's just a Windows NT server.
The difference is that if someone breaks into your house, you and you alone are the one to suffer. Your neighbor is not harmed, and that small suburban neighborhood three states away does not lose their electricity.
However, when someone breaks into your computer, they can and frequently do use it to attack other people's computers. They launch DDOS attacks using it. They use it as a tool to steal credit cards. They send millions of spam e-mails.
Comparing computers to houses is stupid, as are you for doing so. A better analogy is to a cell in your body. If one cell gets infected with a disease, do you defend that cell's right to choose how it behaves? No, your immune system roots out the problem. If a cell gets cancer and starts dividing wildly, do you claim that cell has a right to divide? No, you do your damn best to kill that cell with radiation or chemicals. Why is that? Because that cell poses a powerful threat to the other cells in your body. Stop thinking of the Internet as a city or neighborhood of houses, and start thinking of it as a single living entity. Problems must be handled. The Northeast blackout was largely due to operators not receiving updated status information because the monitor system was being pounded by the latest Windows worm. The backbone of the Internet has been destabalized and nearly gone down under the strain of Windows worms. Would you seriously want to bring criminal charges against all the white blood cells?
Best Buy added a link to "The R3al P@ris Hilt0n"
<g>
I am the unwilling control for my Origin.
There is a service that does something similar to this. If you add ".comfirm.to" to any email that you send it will first be sent to the domain of comfirm.to, they will embed an invisible image and send your email on to the specified address. It will track the email and you can see who it was forwarded to for the life of the email. So if I sent an email to someone@somedomain.com I would send it as someone@somedomain.com.comfirm.to And the comfirm.to guys would track the email. Pretty cool. Thanks to the WebSkulker for this one.
All of which has absolutely nothing to do with some guy trying to extort money from Best Buy and the FBI creating a sting operation to catch him. It seems like everytime the government is mentioned all the reactionary /.rs crawl out and start in with their Big Brother tirades. The guy broke the law and *gasp* the government tried to catch him. What is the FBI supposed to do? Just wait until all the criminals walk into Quantico and turn themselves in?
Thanks for the link, I was able to finally check if AVG antivirus can detect viruses.
"If SCO can't produce evidence against IBM, their case is done."
If you had to pay for the research and all the procedural details, documentation, and representation in all the hearings that will happen until their case is done, you'd probably be bankrupted many times over.
Zealots like me set thier firewalls to disable all internet access from IE's process space. ;-)
Your house if your property. The internet is a public network. That's not a valid comparison. There is no "breaking in" involved. If you put the code on the internet for the public to access, then its your fault people access it, wether they are accessing it in the way you intended or not is a pretty fine line to draw. I don't want you accessing my website using windows, so does that mean everyone who comes to my website from a windows machine is a "criminal pure and simple"? Demanding money is a crime, "breaking into" someone's system is very much a grey area, its not nearly as cut and dry as you are trying to pretend it is.
"The response allowed investigators to identify Ray as the sender of the e-mail threats,"
No, at best it says it came from his computer, and all that implies.
The Kruger Dunning explains most post on
That is more like a casual user of the website finding a bug. But if it requires probing, a more apt analogy would be walking up to random women on the street and groping their breasts and telling them you are checking for breast cancer. Sure, you may occasionally find it, but that doesn't give you the right to be probing there without their permission.
Or they could have called it a web bug.
Embed IMG tag in email.
Server serving the image reports when and where it was fetched from.
Carnivore at work? More like one of the oldest tricks in the book.
If the sender is smart enough to use foreign proxies, or disables html mail, they are just fine.
http://computer.howstuffworks.com/carnivore.htm
They probably knew the mail reader based on the x-tra headers in the email. From that I'm sure they probably tried whatever attacks exist against it (header buffer overflows etc....)
Given that AOHell was involved the guy probably used somebodies CC to create an account, or is a complete fool for using that service.
If it was the latter, I'm sure AOHell already has snoops and a slew of other privacy invading functionality in their software.
If the user used IE, ActiveX could be used to install whatever software, and maybe he was lame enough to click OK. Like I said a multi-pronged attack. Once they have software on your machine, nothing else matters.
That my grandma sends me those? Have you been reading my mail? ?
*looks around nervously, check under keyboard*
GENERAL PUBLIC SIGNATURE (GPS) Any replies (derivatives) of this post must also use the GPS
That's funny. I told them last year not to open any batch files *ever*, even if they came from my account.
and nabs thief "terrorizing" best buy to the sum of 2.5 million. Meanwhile, /bin/laden remains
at large. Way to go patriot act. I'm glad best buy is a safer place for me to get ripped off now.
boycott slashdot February 10th - 17th check out: altSlashdot.org
Speaking of problems with certain strings and forms, my super leet cracker string cuts off the rest of the paragraph because I put a < in by mistake. I was playing with it when I hit Submit instead of preview by mistake. Oops. Here's the whole post:
Hey I found that your system is vulnerable to the 'foo bar baz' expolit. Here's a link to the fix.
The problem, as I see it (and I am always willing to admit my vision is off when someone shows me I'm wrong), is that to find the potential for exploit "foo bar baz", you must usually be engaged in something that frightens clueless business types. If I enter a ' at the end of a form by mistake when I hit the ' and ENTER keys at the same time and get a SQL error in return, that's one thing, but if I'm playing "Super Leet Cracker" and port scanning a swatch of IPs or just arbitrarily telnet to someone's server (I have, for example, telnet'd to bestbuy.com:80 and issued a HEAD just for the sake of it) and find out they're using "OpenSSL x.y.vulnerable", I can report it anonymously if I hassle around a little. Yes, it's trivial, but it's annoying, and, in my experience, it's liable to get ignored if it even gets delivered. If I report with my real name and e-mail, I have to fear that they're going to say "oooh! He's doing recon for an attack! FBI! FBI! Shenanigans! Shenanigans!". Nobody that matters knows who I am and they're liable to take a harmless "hey guys - heads up" as a threat.
Too much lititgation, not enough common sense. If I'm not looking to break into something, I shouldn't have to fear undo prying for trying to help someone out. If I sit and hammer their SQL Server with connection strings for five hours straight, that's one thing, but if I just notice a potential problem while I'm harmlessly poking at the edges of things for lack of anything better to do (yea, I need to get a life), I shouldn't have to fear the Wrath of the Laywers.
Alito: A vote for Alito is a punch in the eye to put that bitch back in her place!
$5 / month hosted VPS on linux = awesome!
I see http://www.company.com/logo_small.gif
I decide to try http://www.company.com/logo_big.gif
I see http://order.company.com/view.cgi?custid=1
I decide to try http://order.company.com/view.cgi?custid=2
So typing URL's should be illegal - if you can't find a link to click on, go away?
I understand what you are saying - if they suck that bad already, why would they care to do anything but transfer their guilt to you in the form of a lawsuit, but on what ground? I wonder how long it is until a lot of the laws hitting banks, higher ed, and healthcare start to hit business...laws where they get in big trouble if financial, student or medical info gets out. just add customer to that mix.
Amen brother!!
Moderators need an additional choice: "Karma Whore" for people who cut-and-paste articles as their comments!
I could tell you but then they'd have to kill me.
I think most of your statements correct with only one small oversight. While law enforcement may only apprehend criminals dumber than they are, they have procedures to follow that aid them in doing their task no matter how stupid they are.
First time criminals are the easiest to apprehend and fortunately this includes most murderers. Without experience most of them are caught simply by the investigator going through a checklist of what to look for and who are the most likely people to focus on. Without their own training in procedure they are at a disadvantage against someone equally stupid.
"Bloody glove? Huh, wha? Ummm...It's not mine."
It all sounds so mysterious, but spammers do this all the time. It probably didn't take mroe than sending the mail as html, with a unique image link in it.
Or how about a delivery/read receipt?
[hat type="tinfoil"]
I mean really people, next thing you know Microsoft will be announcing that their products don't acually suck, per se, but that the USGov requires them to have certian "points of ingress" and the real reason they take so long to patch things is that every time someone finds a USGov hole, the patch has to include a suitable replacement...
[/hat]
Innocent people shouldn't be forced to pay for inferior software development.
--"Code Complete" Microsoft Press
Chances are, this appliance is probrably a proxy of some sort. AOL gives out an IP address, and the box itself probrably either proxies for the box itself, and logs it all, or some sort of redict is sent out so the box can record all traffic.
Using this method, they could also do an automated trace on the line, if he was using dialin, which I'd imagine, if he was smart, he was..
-- I'm the root of all that's evil, but you can call me cookie..
You say, "Obviously you have never lived in a country that kills its OWN citizens." I live in Florida. Why if it wern't for Texas, we would kill more of our OWN citizens than anybody else in the world. We can't count, but, we can kill.
they already know the e-mail address of the hotmail account... can't they just ask the ISP to disclose the IP address when the user logs in?
I suppose you kids with your fancy-shmancy cable and DLS can't do that. Can you? :-)
I get 42.5K bps connections, and I likes it that way!
Bah! Get off my lawn!
My other car is a 1984 Nark Avenger.
Be advised, thyat just saying I'm wrong, doesn't make it.
You have to give facts, if you think you're more right, or else it's just arguing.
Campaign finance reform is national security.
Remember that NSA still measure computing power in acres.
Which is so useful and needed in tracking down an email/IP path by using quantum chromodynamics instead of the ole web-bug and look at logs trick.
Actually, I'm pretty sure they measure it terms of GHz, GFlops, etc. just like the rest of us do.
My Suburban burns less gasoline than your Prius.
I found it. In case anybody else is looking for this preference, it isn't under Preferences. When you have mozilla mail open, under the View menu, there is a "Message Body As" option that allows you to select "Simple HTML."
I never said that you were wrong in any of your arguments. What I said was that the arguments had nothing to do with the FBI trying to catch a guy who was commiting extortion. Its not like the FBI was sitting around with all of their surveillence equipment and just happened upon this guy. In all likelihood he contacted Best Buy with his demands and they in turn contacted the FBI. But because it involves the FBI and electronics everyone starts in with the conspiracy theories that have been posted a thousand times before. I'm no fan of the expansion of the government's rights to watch over us. I just don't think it applies in this case. The FBI was simply doing their job here.
Filthy, sneaking trees....
Everyone keeps making the analogy of breaking into my private home. This MAY be an acceptable analogy if people are scanning IP #'s and try to break into my non-publicly accessable home computer. But if I am running a web site with a MySQL backend that is listed by google, that I want people to see, and someone pokes around my "feedback" form for my blog and finds that they can make a purple barney pop up, they'd better tell me about it. And I will be appreciative too, because "shame on me!".
It's even worse if I am selling stuff and have people's names, addresses and (God forbid) credit card numbers on my system (This is why I won't do CC auths on the sites I host - I'm not confident enough yet in my own abilities to risk it. Well, that and I play Diablo L.O.D. on the same box as my webserver :-)
People need to realize that connecting to the internet carries with it a resposibility. A business needs to realize that they carry an even bigger resposibility because of the exponential additional damage that can be done to innocent people's lives because of their cavalier (or ignorant) attitude.
Public websites, and computers that host public information, which are accessible to every jerk on the internet should be compared to a bank or a store, not a private home. If I walk into a bank and see a stack of (my?) money sitting on the counter and no one is watching it, I have a responsibility to let someone know and they have a duty to fix the problem and sack the idiot responsible.
OTOH, If I see the money and don't point it out; instead opting to walk up to the manager and say "You are about to lose $$$, give me big bucks and I'll tell you how to avoid it." That's extortion. I'd expect to be thrown in the clink. But, if I can prove that I've acted in good faith and pointed out the security problem to the company and I can also prove that they have not acted on it in a (reasonable?) amount of time - I should be able to report it to a "responsible agency" and be able to file a (monitary/punitive?) claim on the negligent company comensurate with the potential damage as determined by a panel of unbiased experts (if you can find them).
Personally, I think this guy's a jerk who is trying for the quick buck. But I'm willing to admit that I don't know the whole story, since I couldn't be bothered to RTFA. It just bugs the hell out of me that some people are so insecure with their own capabilities that they would rather risk compromise than admit they were wrong and fix the problem.
"terrorism" and "pedophilia" are the root passwords to the Constitution
Funny how they could catch one guy, but 12 generations of Nigerians with multi-million dollar treasures are untraceable.
The Slashdot Paradox: "100% Overrated"
A tip for future reference, print out copies of everything you send via email and send it via insured mail to "Attorney". If they don't have an attorney because they are small the president or a member manager will open it. This small bit proves that you are opening serious correspondance with the company in question.
I've done this before and everytime was either reimbursed via merch or company swag well above and beyond the cost of my letter. Email does work and is fast, but so many scams in via email and it isn't secure you often get taken at less than face value.
Then again I've ignored problems and didn't order from some small vendors because of their awful security. (My power company actually redirects via encoded url all your info to a 3rd party site via http who then bounces it another internal server via http before sending it to the paying agent via https; they've yet to reply to any of my letters.)
There was a white supremecist group in Texas (with a cyanide bomb, 500,000 rounds of ammo and lotsa of other WMD) who ONLY got caught by accident!
This was just a few weeks ago and BTW, they haven't caught all the members. Here's the link.
Debunking the "59 Deceits"
Sure a hardware scanner could detect something with 0 latency, but that something would need a comparator as wide as the entire string to match, multiply that by the number of possible shifts in the analytic unit you are considering.
Moreover, you would need multiple units to match multiple strings. So if you had a list of 256 "bad" strings, you would need fan-out of 256 on the signal. Or have a system clocked a certain factor faster the same amount of internal parallelism, In any case this is non-trivial in dedicated hardware, even with fancy shit like FPGAs and 90 nm processes.
This would be a big expensive machine they would have to install at every ISP. No, I don't think the FBI could pull off putting together something that specialized. The NSA? Quite possibly. But it would be hard to get ISPs to buy into it.
And what the hell does that have to do with AM radio? The RF your computer emits is primarily in the form of the magnetic fields induced by fans and drive head motion (provided you turn off your monitor... you know, Tempest)... good luck getting anything damning out of that.
You need to loosen your tin foil hat, it's on a little tight and has distorted your grasp of information theory and physics.
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
They probably just looked @ the X-Originating-IP" in the raw view of the e-mail... and then traced the IP to some ISP... and finally to the user.
Buy a Robot dog!