Slashdot Mirror


Feds Thwart Extortion Plot Against Best Buy

hiero writes "From an article in the Star Tribune: 'Federal authorities said Tuesday they thwarted an extortion plot against Best Buy Co. Inc. by a man who sent the company an e-mail threatening to expose what he claimed were weaknesses in the retailer's computer system unless he was paid $2.5 million.' What's really interesting to me, though, is this paragraph further on in the article: 'The federal search warrant was obtained the morning of Oct. 24 and allowed the FBI, with Best Buy's cooperation, to use an Internet device known as an Internet Protocol Address Verifier. It contained a program that automatically sent back a response to Best Buy after the company sent a message to the e-mail address. The response allowed investigators to identify Ray as the sender of the e-mail threats, according to the government.' Internet Protocol Address Verifier? Is this Carnivore in action?"

11 of 942 comments (clear)

  1. Re:I think... by 1u3hr · · Score: 5, Insightful
    Sorry but no is doesn't, I use outlook at work and i have to allow mine to return a reciept, if i cancel the request nothing is returned to the sender

    But if you reeive an HTML message that includes an IMG link to the senders' site, when Outlook displays the image (even if it's an invisble 1 pixel one) they have your IP. There are ways to block this, but it's on by default. Spammers use this to verify your address.

  2. Where is the line to be drawn? by etymxris · · Score: 5, Insightful

    Is it when he offered a "business relation" in exchange for fixing the problem? Or was it when he threatened to disclose the flaw? Or was it merely because he wanted money in return?

    Had he just disclosed the flaw, would he more or less a criminal, ethically and legally speaking? It seems that worse would have come if he had simply published the flaw right away.

    Was he justified in asking for compensation for his findings? If not, this seems to obligate us to "work for free" when discovering such a security problem.

    What do others here think?

  3. Carnivore? More like overreaction by bwalling · · Score: 5, Insightful

    They got a warrant BEFORE they used the program. Whatever the program did - read information from his PC or just return IP address - it was a valid, legal search. We should be considering this a victory for our rights. The only way I can see anyone complaining about this is if the warrant was improperly obtained, but it seems entirely reasonable to "search" the email address that has been attempting blackmail.

  4. Re:Well, ironic isn't it? by UnknowingFool · · Score: 5, Insightful
    When legitimate security people point out bugs and holes, they get treated like scum and are threatened with law suits. So whats the best thing to to? Threaten the companies with money. Even if 0.1% of the companies gave in, it still is a way of making money

    Although the article is not very detailed in this aspect, his actions do not speak of someone trying to help BestBuy. Some of the info is not released due to security concerns and pending litigation but this seems more like a black mail scheme more than anything else. If he was serious about helping BestBuy, asking for money ($2.5 million) sent the wrong message because the mafia also used terms like "business relationship" and "offer they can't refuse" when shaking down people as well. Until we know more, all we know is that he said enough in his emails that BestBuy and government thought he was threatening.

    --
    Well, there's spam egg sausage and spam, that's not got much spam in it.
  5. Re:IP Address Verifier == web bug by DrSkwid · · Score: 5, Insightful

    >if this is the case then this simply re-enforces my belief that criminals are some of the stupidest on the planet.

    clever criminals don't get caught so you don't hear about them

    FBI Files and COPS tend not to show you cases where the perpetrator outwitted the victims *and* the police *and* the FBI.

    --
    There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
  6. This doesn't make sense by kmeson · · Score: 5, Insightful
    We are to believe that this guy is savvy enough to spoof his email headers so that his email address can't be traced, but not smart enough to turn off receipt verification and HTML rendering in his email program.

    You have to realize that we are getting our information about this incident from a NEWSPAPER, which the very least reliable source for technical topics. Remember this clueless newspaper article?

    I'd say we know little about what actually happened here.

  7. Please Think Before Exposing Paranoia by reallocate · · Score: 5, Insightful

    This is not surveillance. This is just identifying the IP address of the recipient of email. Seems to me that's rather similar to using ping or whois. IP addresses and domain registrations are public, not private.

    It's also rather similar to your local mail carrier knowing where you live. Is that surveillance, too, or are you simply paranoid?

    If Best Buy had received the same threat via snail mail, and the FBI looked at the return address on the envelope, would you be screaming about surveillance?

    The Internet is not some mystical land that exists apart from reality and the law, contrary to the constant stream of silly /. posts that sxeem to believe otherwise. Get over it. The Internet is not special and people don't get a free pass because they use it for criminal behavior.

    Next time, please think bekore exposing yourself as a paranoid llon, OK?

    --
    -- Slashdot: When Public Access TV Says "No"
  8. Re:is carnivore bad? by Sivaram_Velauthapill · · Score: 5, Insightful

    Obviously you have never lived in a country that kills its OWN citizens. Obviously you haven't heard of the totalitarian regimes in Germany, USSR, and USA's close friends Saudi Arabia and Egypt. Obviously you haven't heard of the damage done to civil rights activists in the 60's by the FBI and the CIA. Obviously you have never been targetted by the police. Obviously you are not a minority man (particularly black) living in some parts of USA. Obviously you haven't heard of the infiltration of the FBI by organized criminals (particularly the Italian mafia in the 60's and 70's). Obviously you haven't heard of police fabricating information and jailing people. Obviously you haven't heard of the government cooking up bogus charges and jailing people. Obviously McCarthyism is not part of your collective mind. Obviously you haven't heard of John Ashcroft's recent decree to spy on antiwar activists. Obviously you believe the legal system represent justice....Obviously you underestimate the power of the goverment.

    So to answer your question, I would rather have some guy off the street spying on me than the goverment ANY DAY OF THE WEEK! There is something that you don't understand about the government--any government. Governments are far more powerful than 1000 people put together! They have immense power. The illusion of a legal system--which IS an illusion--does not change any of this. One just needs to look through the history of the government that you live under to see what I mean (I picked USA but you can pick any govt).

    Sivaram Velauthapillai

    --
    Sivaram Velauthapillai
    Seeking the meaning of life... @slashdot of all places ;)
  9. Double Standard by delcielo · · Score: 5, Insightful

    We applaud the hackers who so cleverly get around protections on technology. We had our "Free Kevin Mitnick" and "Free Dmitry" campaigns.

    Here is a nice hack done for a good reason by the same law enforcement that is supposed to investigate and stop such crimes as extortion. And how do we react? Government spying! Conspiracy!

    Really. That's just not very reasonable on our part.

    --
    Hot Damn! It's the Soggy Bottom Boys!
  10. Re:What are you supposed to do? - options by silverbax · · Score: 5, Insightful

    I've actually run into this issue a few times. The action I've taken in the past pretty much directly relates to the severity of the security flaw. For example, I've seen URL hacks which allow you to grab another customer's credit card information, and then some which allow only address information.

    My rule of thumb is that if a piece of information can be obtained and tracked to a specific individual, it's dangerous. That's the rule I use in my work as well.

    When I decide the situation warrants it, I send a professional, formal email to the company ( also the web admin if there is one ), stating what I found, screenshots and leave it at that. Sometimes I will point out that I intended to place an order, but halted when I saw the issue. I also let the company know they may contact me if more information is needed.

    This is what has happened in the past following these emails:

    1. Almost all companies send me an email thanking me and letting me know the problem has been corrected, and it has been. Case closed.

    2. I get a nasty email from the company ( usually this is with SMALL operations) telling me to take my business elsewhere. At first I would attempt to politely explain the risk, but soon realized that some sites have no intention of listening to me, and gave up. In that case, I may notify the BBB or other organization just to get someone else on their tail. I don't have time to chase down other people's security holes, so the best I can hope for is to let others know.

    In any case, I always use the Enron rule: What if I later had to explain my actions to a grand jury?

  11. Re:However, a bug says: "you're being bugged" by petard · · Score: 5, Insightful

    The problem with an embedded image bug is that if the recipient views the source of the email -- and presumably this alleged extorter is a techie -- it's easy to spot such a bug, and so there's a real risk that including a bug would tip him off to the investigation.

    Only when you're doing mass mailings. If it's targeted, it is indistinguishable from a standard image... e.g.

    http://corporate.bestbuy.com/images/corporatelog o. jpg

    could be a web bug if you only send that URL to one person. The reason it's more obvious in mass mailings is because they require a unique identifier to have something to map back to the email address such that they can verify the address as live.

    --
    .sig: file not found