Slashdot Mirror
Feds Thwart Extortion Plot Against Best Buy
hiero writes "From an article
in the Star Tribune: 'Federal authorities said Tuesday they thwarted an extortion plot against Best Buy Co. Inc. by a man who sent the company an e-mail threatening to expose what he claimed were weaknesses in the retailer's computer system unless he was paid $2.5 million.' What's really interesting to me, though, is this paragraph further on in the article: 'The federal search warrant was obtained the morning of Oct. 24 and allowed the FBI, with Best Buy's cooperation, to use an Internet device known as an Internet Protocol Address Verifier. It contained a program that automatically sent back a response to Best Buy after the company sent a message to the e-mail address. The response allowed investigators to identify Ray as the sender of the e-mail threats, according to the government.' Internet Protocol Address Verifier? Is this Carnivore in action?"
I think it's called a return receipt :-D Probably was using Outlook which automagicly sends one when requested.
Blogzine
That's what happens when you try to extort a big company using Outlook.
"0101100101? It's just jibberish. *looks in mirror, gasps* 1010011010@!? AHHHHHH!!"
Okay... I'll do the stupid things first, then you shy people follow.
[Zappa]
and this is where he's going to say his computer was hi-jacked, right? Even Carnibore has its limitations.
Easy does it. You don't need a big surveillance program, just add a bug to your email that "grabs" the reader's IP addy and voila!
Easy does it, apply the KISS principle to life.
~~~Please pass the salt, I hate unsalted MD5s
sounds so much better than "ping"
I think that it would only work if you were able to obtain an email address that a spammer actually checked, and we all know how hard those are to come by.
"0101100101? It's just jibberish. *looks in mirror, gasps* 1010011010@!? AHHHHHH!!"
One one hand, if a genuine white hat hacker finds an exploit in a network and told the owners about it, s/he finds himself ostracized for the actions, and is threatened with legalities.
And on the other hand, what this guy tried to do was establish a "business relationship" -- notice that he did try to contact them first with the offer to help them:
The e-mail also offered to establish an unspecified business relationship between the sender and Best Buy, adding: "Without your response, we are obligated to share the security hole with the public for their protection. As a result, Best Buy may experience a loss in business, thefts and lawsuits."
Ofcourse, once he noticed he wasn't getting anywhere, he decided to resort to good ole' blackmail.
Honestly, this was bound to happen some day or the other. When legitimate security people point out bugs and holes, they get treated like scum and are threatened with law suits. So whats the best thing to to? Threaten the companies with money. Even if 0.1% of the companies gave in, it still is a way of making money.
Good, atleast this way companies will be more careful about protecting data.
Hmm, sounds like a fancy name for a computer expert. All you have to do is read the SMTP headers in most email and it will reveal the sender's IP. Just trace it back down the line of servers through which the email was routed, and you get back to the original IP address.
If the sender is spoofing headers, however, this becomes more difficult. Why not just subpoena the ISP for their email data? Doesn't the server keep a log of what IP addresses sent which pieces of email?
For example:
Received: from [65.119.30.157] (helo=SMTP.magnellmail.net)
by snoopy-bak.runbox.com with smtp (Exim 4.24)
id 1Ae9TJ-0006F6-B0
for xxxxxxxx@runbox.com; Wed, 07 Jan 2004 09:55:25 +0100
Received: from mail pickup service by E1SSL2 with Microsoft SMTPSVC;
Wed, 7 Jan 2004 00:56:48 -0800
The above shows that someone at 65.119.30.157 sent this email. It went through their mail server (magnellmail.net) to runbox, my provider. From there, Runbox directed it to my Inbox when I opened Outlook.
There is also a very unique message ID at the end of the headers section:
Message-ID: [E1SSL23ZpEVmkWFBXZG000011b9@E1SSL2]
Could this be used by the Email provider to find out who sent emails, if the IP address is missing or spoofed?
Homestarrunner.net -- It's Dot Com!
I did domething similar once. I put a tiny transparent image URL in a letter to try to get the IP address of someone. Then I monitored the server logs where the image was hosted.
"God fights on the side with the best artillery." - Napoleon, Marshal of France - speaking truth to power
Is it when he offered a "business relation" in exchange for fixing the problem? Or was it when he threatened to disclose the flaw? Or was it merely because he wanted money in return?
Had he just disclosed the flaw, would he more or less a criminal, ethically and legally speaking? It seems that worse would have come if he had simply published the flaw right away.
Was he justified in asking for compensation for his findings? If not, this seems to obligate us to "work for free" when discovering such a security problem.
What do others here think?
This is just a case of bad journalism. Of course, there are many methods of getting the IP of the receiver of an email The most common is a webbug (a link to an image on a server you control), but that requires for the culprit to use a mail client that renders HTML.
"Internet Protocol Address Verifyer" sounds like something you'd find in a Movie OS. Of course, like all other buzz words, the name is not related to the alledged function.
They either used a webbug, og checked the IP in the header of the mail he sent with his claim.
Personally, Why isn't technology like this being adapted to fight SPAM. Maybe the FBI is trying to keep tools like this under wraps so they can continue to use it against people, rather than knowledge of its existance being a deterrent... double-edged-sword i guess. I'm honestly curious how serious the extortionists were... The scheme sounds very half-hatched to me...
~~~ SCO sued me because I printed this t-shirt with a Linux driven printer...
They got a warrant BEFORE they used the program. Whatever the program did - read information from his PC or just return IP address - it was a valid, legal search. We should be considering this a victory for our rights. The only way I can see anyone complaining about this is if the warrant was improperly obtained, but it seems entirely reasonable to "search" the email address that has been attempting blackmail.
They probably just read the mail headers as soon as he replied to the letter they sent him. From this and the time the email was sent they probably had no trouble asking his isp for the user information. Criminals are not always the smartest apples and he probably didnt even have a way to crack the website.
If he wasnt clueless he would have used a dummy email account and checked it via rental computer or at the very least a dial up account using *69 ( which can still leave your number ) and a prepaid credit card / gift card.
This guy reminds me of the old irc script kiddies who would do things from their house and wonder how they were tracked down. While anonomyzers are available it makes me wonder if he,
a. used one
b. had used a computer before
As to the FBI ip verifier i find it hard to believe they have anything more advanced then the current jscript / asp / log parsers to pull ip information.
AFIK the absolute most a email address can yeild is the ip of the server. However with the email headers im sure you can get a ip without too much trouble with a warrant.
Karma's over rated. Speak your mind.
Make sure you turn off Message Disposition Notification in your e-mail client.
Sheesh, evil *and* a jerk. -- Jade
Internet Protocol Address Verifier? Is this Carnivore in action?"
That'll be a tiny 1x1 pixel gif embeded in a HTML e-mail called from the feds server.(AKA web bug... You cant turn off HTML in M$ LookOut and this dude dosent sound very clued up)
Presto, the feds know who opend the mail how long they looked at it etc etc etc.
A top tip (tm) is to embed a web bug in a job aplication e-mail. Its interseting to watch your aplication being pushed around various departments and see who actually reads it.
Anyone quoted by a reporter knows how little they understand
Don't believe what you read is the truth.
the Internet Protocol Address verifier get into the hands of the RIAA.. we would not want more 12 yr olds and college students being fined ridiculous amounts, would we? :D
|/________
|\A|ALYS|
Over here there is a Congressional Statement of what Carnivor "officialy" does, or is "allowed" to do. One paragraph of this statement:
Carnivore is a very effective and discriminating special purpose electronic surveillance system. Carnivore is a filtering tool which the FBI has developed to carefully, precisely, and lawfully conduct electronic surveillance of electronic communications occurring over computer networks. In particular, it enables the FBI, in compliance with the Constitution and the Federal electronic surveillance laws, to properly conduct both full communications' content interceptions and pen register and trap and trace investigations to acquire addressing information.
gives us the gist of it. So yes this very well be Carnivore in action.
"It usualy starts with some screaming. Afterwards there is much running around."
This is the first time google has heard about it as well, apparently.
I'm much more concerned that their cash registers use WiFi without a lick of encryption... I read several stories a while back about people sitting out in the parking lot with sniffers, capturing credit card information...
Somehow, this power accumulation and surveilance (sic) reminds me of Senator Palpatine. I just hope I'm wrong.
Huh. It reminded me of Stalin and Beria and the NKVD, but you're right, better we should take our lessons from space opera than from history.
George Lucas's fertile imagination is so much more convincing than those ponderous, dusty history books. And you can't eat popcorn and jujubes while reading books, it gets the pages too sticky.
Opinions on the Twiddler2 hand-held keyboard?
When you find a bug, no matter how serious with someone's system, publish it. Why do I speak such insanity? I reverse engineer hardware and some software for fun, if I find a bug I'll report it because I'm a nice person and I'd like it to get fixed. I understand that our society works only because the black caps have realized when they found a doomsday bug that implementing it would mean they turn society into hell and they'de be right in the middle of it. I'd like to make a difference and help to defend myself by helping others out, this is how I convince selfish self to help others.
So, since you don't want to treat me with respect like I treat you with respect, from now on I won't be nice or treat you with respect. I'll publish your flaws for all to see. It can be as big a publication as slashdot or bugtraq, or as small a publication as telling my friends and throwing it up on p2p.
I guess we'll have to teach them what happens when they treat us with no respect. This is a decision every white cap has to make for themselves.
I for one, am done playing the part of the nice martyr. The day I get arrested and incarcerated for releasing information I or someone I know researched because someone doesn't like loosing money is the day we no longer live in a free country, and the day I go black cap. Believe me, I don't want it to come to that, I like my steak and potatoes and living in a nice house, but if that's where it's going I am going to defend my hobby.
Candy-Coated Knowledge
Even there may be something that may trace from wich (IP) address an event happened (thou I completely agree with the 1x1 gif idea) . I don't see how it may prove something in court.
What if the email was send (the smtp server was invoked) from a compromised computer. There are lots of win98 online with hundreds exploits ready waiting for somebody who needs an IP to do something from. What if the person uses a cascade of proxyes and shells.
I will just mention all the possibilites the iproute2 package gives to move network segments and obscure what is going on.
We should do everything possible to prevent the court system to take computer generated information (logs) as a reliable evidence, because it may be just the start of the witch hunt...
You cant turn off HTML in M$ LookOut
;-)
Oh yes you can - something I rely on to avoid spammers using the same trick!
this dude dosent sound very clued up
My thought exactly
A top tip (tm) is to embed a web bug in a job aplication e-mail. Its interseting to watch your aplication being pushed around various departments and see who actually reads it.
h eck.ins.govr rorism.dhs.org. com
Yes, it's very interesting. For example, here's the log of all the machines who accessed my web bug when applied for a job at the DHS:
frontdesk.dhs.gov
hr.dhs.gov
check.dhs.gov
c
check.irs.org
it.dhs.org
counterte
legal.dhs.org
submitsubpoena.aol
bust.usmarshals.gov
brb 2 secs, someone's at the door...
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
Anyone that reads 666 otherwise known as the hacker quarterly knows about all the problems in Best Buys network.
It even goes in depth on how to get into thier private network from a display PC.
How to find info on hiring and firing people etc.
How to order stuff and have it sent.
and few other ways of hiding yourself, as below
1. Dedicated firewalled Linux Laptop with WLAN, and changing MAC
2. WarDrive around for a unsecure internet connection.
3. Use proxies from unsecured PC's, lists available from DBL providers, or you Email server logs.
4. Setup up a web mail account, and send business proposal.
5. WarDrive to other access poiunt for continuing dialog
6. Travel around a bit to avoid setting a Wardrive pattern
I would think this would be very difficult to trace without social engineering
mailto:EatSpamAndDie@princeweb.com
Yeah but since PATRIOT, everything is a valid search...
The best way to do this would have been to use anonymous remailers and a nym address. Then you are protected from ISPs subpoenaing logs, as well as the email being encrypted and bounced around the net before it ends up in your inbox.
Those interested in finding out more about anonymous remailers should take a look at the APAS FAQ
However, were he to have the final email arriving in his Outlook, and he decrypted it with the PGP plugin, then a web bug could well have taken effect.
More likely they used some unpublished vulnerability in Outlook, possibly even one that the FBI found themselves...?
You cant make anything foolproof, they'll only invent better fools.
Is this Carnivore in action?
:)
No, it isn't. Like another poster said, this is really just a web bug. Carnivore is a sophisticated system for parsing billions of e-mails and flagging interesting things like threats against the President for analysts to examine, but has nothing to do with validating return addresses or anything like that.
The only way to actually know that someone is actually receiving your e-mail at a particular location is to include a web bug that reports their IP address back to you, by opening a socket connection directly to something on a server you own (e.g. an image). So either include an image in the e-mail which is requested from your server, or include a trojan that "phones home" when they run it.
It works. Try it the next time you want to see who's really spamming you. Just send a web bug to whatever the response address is they want you to contact, (you know, for your Nigerian money-laundering instructions), and then examine your server logs carefully to find out where they really are in the world. Of course, you could also send them a backdoor if you wanted, instead of just a beacon, but I would never countenance such uncivilized behavior
I guess the DTMF has changed!
Ok , thats a bit obscure but a real hacker will know what I mean.
Exactly, Everyone goes into a big sniff when the FBI is using Carnivore or whatever else. But as I see it the Bad Guys have the same type of tools just under many different names. Your phones can be tapped, there could always be an agent listing into you conversation out in the street, you home can be bugged, and now they monitor your internet connection. This is not a change in our privacy, basically by law when ever the government get a warrant (A warrant is issued when their is probable cause) the officials can invade our privacy. Now the FBI neither has the Manpower or the money to monitor everyone on earth or even the USA or Even New York. So they go after who they expect are the trouble makers. Now the Bad Guys who have their collection of smaller tools who can do the same thing will be targeting after the common folk because they don't care what damage is done, Plus they are a lot more of them then the FBI.
So who would you rather have spying on you. The FBI who has to deal with Tons of paper work to even start spying on you then needs to make a strong case that you are a criminal, worthy of prosecution. Or some random Hacker/Cracker guy who just randomly found your IP address and spies on you. Then is willing blackmail you into whatever morally questionable thing you do on the internet (say your job is a minister and you have been viewing adult porn sites (Which is legal but you don't want it to be public)).
I much rather have FBI spying on me and then realizing well he is not doing anything illegal. Compared to a random hacker going, Ohh I bet he doesn't want people to know that he does that.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
You have to realize that we are getting our information about this incident from a NEWSPAPER, which the very least reliable source for technical topics. Remember this clueless newspaper article?
I'd say we know little about what actually happened here.
You guys are forgetting that for Best Buy to be able to contact him, he'd almost certainly need to leave an email address. Unless he did so with an address hosted in a foreign country, they could have just searched his email provider's server logs and gotten his IP address that way.
(Somewhat off-topic, but a related topic, honestly)
About a month ago I discovered what could be deemed a weakness in a relatively popular online merchant's order status system, allowing anyone to view the order status for any order in the system just by changing an ID field in the URL. I often try changing such values in URLs like this for no real reason (a habit from designing my own web-based scripts), and I've never found an exploit until now.
So with a simple perl script, it would be possible to download and parse the mailing address, shipping address, items ordered, amount paid, credit type (NOT credit card type or credit card number, thankfully) and other assorted information for any given order. After some brief checking, I determined there were over five million orders viewable in this manner, going back a few years.
So what am I supposed to do? I have no interest in establishing a 'business relationship' with this online merchant, telling everyone how to do it seems like it would cause more harm than good, and I fear being ostracized or even litigated for 'hacking' if I tell the company, even if all I did was change a sequential, non-encrypted number in an URL.
Or is the information accessible not a big deal to worry about?
Imagine his surprise when he received a $2.5 million Best Buy Gift Card in the mail. Doh!
I imagine that yep, this person isn't savvy enough to not use html email, and they slipped a web bug into the email. Hell I'd try it just on the off chance, and it looks like it paid off for your Feds that time...
I've had one case where a friend and I were writing a boobytrapped shell on a Linux box, to use as the login shell for a suspected system cracker, and he logged in, saw the new shell (which we hadn't quite installed yet) and RAN THE BLOODY THING FOR US! We got all the data we needed to track him down right there and then, phoned his ISP and got him shut off on the spot.
So - yes, even the more savvy often do really really stupid things...
-- ted russ http://www.arach.net.au/~ted/mydynes/ http://www.arach.net.au/~ted/myblogs/
Uh, the likelihood is that it was a web bug, in which case webmail won't help - the request comes from your browser, and thus IP. In fact, webmail makes it worse, because a lot of email software can disable web bugs or can't display them to begin with, web browsers don't tend to disable loading remote images ;-)
Free Java games for your phone: Tontie, Sokoban
This is not surveillance. This is just identifying the IP address of the recipient of email. Seems to me that's rather similar to using ping or whois. IP addresses and domain registrations are public, not private.
/. posts that sxeem to believe otherwise. Get over it. The Internet is not special and people don't get a free pass because they use it for criminal behavior.
It's also rather similar to your local mail carrier knowing where you live. Is that surveillance, too, or are you simply paranoid?
If Best Buy had received the same threat via snail mail, and the FBI looked at the return address on the envelope, would you be screaming about surveillance?
The Internet is not some mystical land that exists apart from reality and the law, contrary to the constant stream of silly
Next time, please think bekore exposing yourself as a paranoid llon, OK?
-- Slashdot: When Public Access TV Says "No"
Huh. It reminded me of Stalin and Beria and the NKVD, but you're right, better we should take our lessons from space opera than from history.
In Imperial Coruscant, history takes lessons from YOU!
Hey dumbass! If you had bothered to do even the simplest of searches, you would find out that Best Buy stopped doing this long ago.
without their permissions you are a criminal, both legally and morally. My stuff is my stuff and I'll thanky ou to keep your hands off it. If you wish to audit anyhting I have, physical or virtual, you'd better ask my permission first, or you'll face consequences.
This seems perfectly reasonable and there is plenty of precident in the physical world:
My house has many known security flaws. The largest would be the windows. They are easily broken with just a rock, allowing access. My door would also be a flaw, it's solid, but nothing a battering ram in experienced hands couldn't break down in a few minutes. My lock is aslo a flaw. IT's better than most, a high security lock that is much harder to pick than normal, but it still is pickable.
So, if someone breaks into my house and demands money to fix it, should I honour that? No, I'd by perfectly jsutified in holding them at gun point and calling the police to have them punished. Regardless of thier intent, it's MY house and you'd better not enter it without my permission.
It is similar for computer systems. If I pay you to hack my stuff and report on it, great. YOu are providing a valuable service and I thank you. IF you break into my stuff without my permission, you are a criminal pure and simple.
Also, demanding money ex post facto is something else we have a law against, it's called balckmail and is illegal.
Look, if you want to find flaws in stuff, do it legally. Contact the owner and ask if you may hack them. If they say no, move on. IT is not your duty or right ot mess with their stuff without permission.
Look, if you have a peice of software and you hack it on your own systems and/or network, that it leagal. You then publish teh exploit, also legal. However if you come and hack MY network without my permission, that's NOT legal.
People who illegally break into systems deserve no more respect or consideration than people who illegally break into houses. You have no right at all to enter or use other people's property without their permission. Don't pretend like because it is a computer system that makes it any better.
IT's like lock picking. IF you want to learn to pick a lock and find out its venurabilities, go right ahead. But do it on a lock you own. But the lock in question and play with it. To go to someone else's house and try on their lock without permission is illegal and immoral. You've no right to mess with their property.
So if you get asked/hired to test someone's security (physical or virtual), great. Do what you can and give them a report. If you have something you own (physical or virtual) and you discover a security flaw, great, make it known so a fix can be developed. But do NOT presume you have the right to invade the property of others. It doesn't matter if it is venurable or not, it's not yours so you keep out.
The #1 tech support issue after Office 2003 comes out:
"Where the heck are my images? Please make it act like the old Outlook."
Its good MS is doing this by default, but most users couldn't care less about security/privacy especially when it inteferes with "purty pictures."
The problem with an embedded image bug is that if the recipient views the source of the email -- and presumably this alleged extorter is a techie -- it's easy to spot such a bug, and so there's a real risk that including a bug would tip him off to the investigation.
So, it may be an HTML bug, but perhaps not...
Here's what I do: Bitty Browser & Andromeda
I don't think this is Carnivore in action. It's just now how it works. Carnivore is a box that would be in place at the user's ISP, not at Best Buy.
a rnivore.htm
Education:
http://computer.howstuffworks.com/c
geek n performer who performs morbid or disgusting acts, as biting off the head of a live chicken
Obviously you have never lived in a country that kills its OWN citizens. Obviously you haven't heard of the totalitarian regimes in Germany, USSR, and USA's close friends Saudi Arabia and Egypt. Obviously you haven't heard of the damage done to civil rights activists in the 60's by the FBI and the CIA. Obviously you have never been targetted by the police. Obviously you are not a minority man (particularly black) living in some parts of USA. Obviously you haven't heard of the infiltration of the FBI by organized criminals (particularly the Italian mafia in the 60's and 70's). Obviously you haven't heard of police fabricating information and jailing people. Obviously you haven't heard of the government cooking up bogus charges and jailing people. Obviously McCarthyism is not part of your collective mind. Obviously you haven't heard of John Ashcroft's recent decree to spy on antiwar activists. Obviously you believe the legal system represent justice....Obviously you underestimate the power of the goverment.
So to answer your question, I would rather have some guy off the street spying on me than the goverment ANY DAY OF THE WEEK! There is something that you don't understand about the government--any government. Governments are far more powerful than 1000 people put together! They have immense power. The illusion of a legal system--which IS an illusion--does not change any of this. One just needs to look through the history of the government that you live under to see what I mean (I picked USA but you can pick any govt).
Sivaram Velauthapillai
Sivaram Velauthapillai
Seeking the meaning of life... @slashdot of all places
We applaud the hackers who so cleverly get around protections on technology. We had our "Free Kevin Mitnick" and "Free Dmitry" campaigns.
Here is a nice hack done for a good reason by the same law enforcement that is supposed to investigate and stop such crimes as extortion. And how do we react? Government spying! Conspiracy!
Really. That's just not very reasonable on our part.
Hot Damn! It's the Soggy Bottom Boys!
Hmmm. Really reminds me more of J. Edgar Hoover. But you are right. Better we should take our lessons from across the oceans than from the fascists in our own backyard.
(not that Stalin and Beria were nice guys, mind you -- it's just that there aren't mass executions in the U.S. yet)
I've actually run into this issue a few times. The action I've taken in the past pretty much directly relates to the severity of the security flaw. For example, I've seen URL hacks which allow you to grab another customer's credit card information, and then some which allow only address information.
My rule of thumb is that if a piece of information can be obtained and tracked to a specific individual, it's dangerous. That's the rule I use in my work as well.
When I decide the situation warrants it, I send a professional, formal email to the company ( also the web admin if there is one ), stating what I found, screenshots and leave it at that. Sometimes I will point out that I intended to place an order, but halted when I saw the issue. I also let the company know they may contact me if more information is needed.
This is what has happened in the past following these emails:
1. Almost all companies send me an email thanking me and letting me know the problem has been corrected, and it has been. Case closed.
2. I get a nasty email from the company ( usually this is with SMALL operations) telling me to take my business elsewhere. At first I would attempt to politely explain the risk, but soon realized that some sites have no intention of listening to me, and gave up. In that case, I may notify the BBB or other organization just to get someone else on their tail. I don't have time to chase down other people's security holes, so the best I can hope for is to let others know.
In any case, I always use the Enron rule: What if I later had to explain my actions to a grand jury?
Outlook 2003 has the option to both disable HTML and to disable loading of images, specifically aiming at web-bugs. Stop basing all of your opinions on 1997 era Outlook Express.
/.ers, so this will be marked as trolling.
Obviously I just defended MS against outdated and uninformed
I think you'll find this was carnivore's "chain of evidence" feature in operation, and guessing at how they verified the recipient IP won't do you much good. Remember that NSA still measure computing power in acres.
The Slashdot Paradox: "100% Overrated"
As opposed to a big company who tries to extort us to use Outlook?
My beliefs do not require that you agree with them.
Here are three ways to get on America's Dumbest:
1. Rob Taco Bell right after filling out job appication and interview. Be arrested when cops show up at your address on the application.
2. Send extortion/blackmail emails using MS-Outlook from your normal ISP account. Be busted when FBI sends email using marketing tool like Neighborhood Email or eZine Manager. FBI is too embarassed to admit they used an e-newsletter tool and come up with the "ip address verifier" device.
3. Shoplift naked. Be arrested when cop identifies the incredibly stupid butcher's meat chart tatoo when streaking through campus on a dare.
4. Keep crack pipe, crack and lighter in glove box. Be arrested when you see a billboard advising "Drug checkpoint next exit" and begin throwing crack, lighter and pipe out the window while police are video taping looking for people throwing drugs and paraphanellia out the window.
-- $G
We need as big and powerful of a government as possible. Higher taxes, more police, more spyware, more surveillance. Thats the whole goal the republican party isnt it? Well Mission Accomplished. Next time I'm voting Libertarian (Ex-Republican)
People don't exist to serve systems, systems exist to serve people.
Everybody applying for a government job goes through a counterterrorism check. I wanted to get a part-time job at the local Secretary of State office. All I would do is sit there and take driver's license pictures and hand them to the lady who entered the information into the computer. However, they decided I was a potential terrorist. Apparantly, I'm safe enough to go out and buy a gun, watch people's children or pets, or even substitute teach in an elementary school, but I'm too dangerous to take driver's license photos.
It's not smart, or correct, but that's just the way it is.
Can we use it to trace and arrest those bastards that send out 'pay us $699 for Linux' extortion letters?
for a new keyboard - i was happily drinking my milk and reading /. when as I made my way across yours post, inexplicably it all came out gushing through my nose -
They insert a 'special' serial binary stream - one that can be imbedded in pictures (child porn), email, Warez, illegal MP3s - you name it. They then have a special listener installed at the majority of all ISPs - whenever this special stream comes through a (logical) wire it logs the IPs, logon info etc. Very efficient, very secure, very accurate.
Actually, I just made all this up, but now that I mention it, does anyone think they're are getting away with anything anymore?
slashdot troll = you make a compelling argument I do not like the implications of.
This is another reason I like reading /. You guys give me a good whack on the side of the head on nearly a daily basis.
.gif files where a server-side plugin can compare the requested .gif to a known email and verify "yep - that addy is active" - even when most people ignore the unsubscribe links.
I read this and was foolishly thinking (probably like many do) that "oh, if I don't download an attachment and execute it there really is no danger. I mean really, if I don't "run" anything, how would anyone know?"
Silly wabbit is right. It's another case myself of not being able to see the forest for the trees.
I guess ANY HTML email can be malicious in a sense that it can snarf info if it actually interprets and points you to ANY website when you read it in its rendered state.
Talk about eye opening. I'll bet 90% of the general public don't actually realize this can easily be done for targeting purposes. With this in mind it's probably not hard (and don't flame me for not knowing this guys) but targeted spam in order to verify addresses could point to "specially coded"
"The aspects of things that are most important to us are hidden because of their simplicity and familiarity" - Ludwig Wittgenstein
Never have a philosophy which supports a lack of courage
Interestingly, the article does not mention if there was an actual security flaw or if they fixed it. I would guess that in the process of arresting this idiot they confiscated his computer and can see what tools he was using. If he was very "professional" about his demands he might have had the document describing the exploit all ready to go, so he could send it to them as soon as the $2.5 million showed up in his bank account.
So was there an exploit? This is some pretty shoddy reporting if they are going to simply trumpet what the FBI did without investigating whether this guy posed a serious threat or not.
Lasers Controlled Games!
No law prevents putting an image in a HTML e-mail YTC !
The fact the image happens to be served from a server for which I have access to the logs is irelevent. Many people include a photo (as oposed to a 1x1 gif) in a job aplication mail. This image could easily be delivered from a remote server (under your controal) rather than be attached to the e-mail. After all, the remote machine requested that image! (since the user runs a HTML enabled mail client)
Please think before posting !
Anyone quoted by a reporter knows how little they understand
Don't believe what you read is the truth.
Thankfully, no company has yet exercised option 3: prosecute you for computer crime. It doesn't matter if they don't have a case or what laws are on your side -- they have the money, power, and desire to utterly ruin your life regardless.
These people market and sell a product they probably know is shoddy. What makes you think they'd have the moral fibre or restraint to refrain from shooting the messenger? You can't trust their software, what makes you think you can trust them?
I've finally had it: until slashdot gets article moderation, I am not coming back.
This stuff happens every day.. you get a warrant , you start investigation and you catch criminals ( you hope )
With a warrant you can do all sorts of invasive things, such as wiretaps, hidden cameras, borderline entrapment stings.. whatever the judge approves...
Just normally it doesn't reach the news, as its really not news worthy...
---- Booth was a patriot ----
Of course, this only works for people crazy enough to open emails in a program that accesses the web for content. Text-based email readers are obviously the way to go when sending threats _and_ opening email!
Here's a handy little trick:
$ look blackma
blackmail
blackmailed
blackmailer
blackmailers
blackmailing
blackmails
Blackman
Or just use dictionary.com. :-)
zWhat would an EWOULDBLOCK block, if an EWOULDBLOCK could block would? -- me
So who would you rather have spying on you. The FBI who has to deal with Tons of paper work to even start spying on you then needs to make a strong case that you are a criminal, worthy of prosecution
Apparently you are not aware of the civil rights oversite requirements removed in the "Post September 11th" world do a search on "sneek and peek"
Interesting idea. I wonder how to get per-process firewall functionality on Linux.
The only way to actually know that someone is actually receiving your e-mail at a particular location is to include a web bug that reports their IP address back to you, by opening a socket connection directly to something on a server you own (e.g. an image). So either include an image in the e-mail which is requested from your server, or include a trojan that "phones home" when they run it.
Wrong. If you were talking about you or me.. that would be true. But if you were talking about an organization that had the means to find any email on any provider, then all you would need is to include a unique identifier in the email so that you would be able to locate among the billions of uninteresting ones.
I used to monitor commercial pager traffic. So that on my PC I would see every page, from every person on a given provider. If I wanted to find the "capcode" (basically a pagers ESN) of a user on the system, I would only have to send them a page with a unique number and grep it. From that point on I could single that user out for monitoring. So, this could be the same thing, only with email. Word.
Didn't anyone else think that maybe just asking the reporter would do the trick? His email address is right at the bottom of the article.
<sarcasm> oh wait - this is slashdot right - only two people actually read the article. </sarcasm>
I emailed Mr. David Phelps asking what an "Internet Protocol Address Verifier" was and his brief reply was the following.
"it's commonly referred to as a web bug. i used the term as contained in the government's search warrant."
So while the theorizing here did come up with that as a possibility - it also came up with lots of other BS.
Now the bizarre thing is that the feds used such a wierd term. Then again to a judge or lawyer the term "web bug" probably seems pretty bizarre.
I bet he was just trying to get his rebate money from them.
-------- This space intentionally left blank --------
Didn't you notice the new subpoenaless powers just given to federal authorities in December?
Do you have any idea how much power has been taken away from the Judiciary in the past three years, and been given to the Executive branch?
Have you not noticed the new redistricting, combining Dem districts, and splitting Repub districts? Greatly reducing Dem numbers in Congress? The normal 10-year (agreed) redistricting was re-redistricted after elections that gave Repubs control -- it's a Tom DeLay program. One redistricted precinct in PA was actually shaped like a finger pointing at the home of a Dem congressman. Regardless of your views, do you think a monopoly is the best system? Depending on one source for your food/car/job/news/govt/etc? Because that's where we're going now at breakneck speed, Bucko.
Are you not aware that Gen. Tommy Franks recently said that in the case of another major attack, the Constitution may have to be suspended. So who decides? Hasn't America been through some pretty tough times without suspending the Constitution? Do you have any idea what all of this really means?! Surely you haven't actually thought this through.
There has recently been historic undermining of the US Constitution, intentionally promulgated by the ruling Party, which is bringing us to dictatorship.
You can't cover this up with charges of "paranoia".
Campaign finance reform is national security.
If you're looking for sources of information, Ward Churchill and Jim Vander Wall's book Agents of Repression: The F.B.I.s Secret Wars Against the Black Panther Party and the American Indian Movement (South End Press) is a good start. When large numbers of readers refused to believe the stuff they had written (even though it extensively referenced the FBI's own documents), they did a follow-up book that just reprinted the FBI material called The COINTELPRO Papers: Documents from the FBI's Secret Wars Against Dissent in the United States. Harder to disbelieve that, I guess.
I've found crimes that I could commit that would result in a couple million dollars payout, but would result in me leaving the country and being on the run. I think I could do it, but I also think that the life style would be uncomfortable at best. (I have a wife, kids, close family, friends, and toys that I'd have to leave behind.)
I am well on my way to making the couple million I would have stolen (spending along the way, so I will miss the one time big pile 'o money) with a comfortable, respectable life style not on the run from authorities.
I see in the paper guys going to jail for robbing a video store. Is jail worth a couple hundred bucks?! The risk/reward is lousy for theft. I don't understand what they ar thinking.
Joe
Joe Batt Solid Design
The FBI who has to deal with Tons of paper work to even start spying on you then needs to make a strong case that you are a criminal, worthy of prosecution....
:)
This is not necisarilly true. If the FBI wants, they can use the Patriot Act (where applicable, which is almost everywhere), to spy on you with out obtaining a warrant.
Now the FBI neither has the Manpower or the money to monitor everyone on earth or even the USA or Even New York.
This is of course why the Patriot Act gives the Feds there new powers. Of course the counter to that argument, is...
Now the FBI neither has the Manpower or the money to monitor everyone on earth or even the USA or Even New York.
Oh well, at least that caught a scum bag
Yet another geek who thought History class wasn't worth his time...
Do yourself a favor. Google "J. Edgar Hoover" and then "Nixon." Read about it for awhile. If you still think the FBI is staffed entirely by Mulder, Scully and Starling, Google, oh pulling one notorious name out of the air, "Pinkerton," and pay close attention to how they often co-opted law enforcement.
The Short Version: The Founding Fathers gave law enforcement very limited powers for extremely good reason.
He put his boots up on the table and made a face. "The sig," he smirked. "You can waste your life in search of the sig."
Pardon me if I do not sympathize with this guy who can spoof his e-mail address, but can't tell Outlook (I assume) to not display HTML. If he had just sent them a polite note that said "this is broke, here's how I discovered it, what it does, etc., here is how to fix it", then I think the community could be outraged. This is nothing more than a common criminal act. Just because it was tech-related does not make it more romantic or noble. And while you may not agree with the technology, which sounds about as mysterious as spyware, it served its intended purpose this time, in the future who knows though.
I hate sigs.
Yeah sure, "Internet device known as an Internet Protocol Address Verifier"
How much you want to bet this super dooper secret tool just creates an HTML message with an inline 1x1 gif/png/jpg image hidden in the body that makes a call to a webserver somewhere to download it.
This is what the spammers do to verify that people read their messages, and this is what I know some mailing list managers do in order to see if their postings actually get read.
Obviously doesn't help if you don't use something like Outlook or OE, but would work on most of the people out there.
Brielle
Ads say someone could steal your identity and you'll have no idea they did unless you pay $60 for their credit alert system that notifies you of changes on your credit report. Thats real extortion, credit agencies sell your info which then in turn used against you but the only way to protect yourself is buy service from them. Seriously what did this guy really do? He claimed to find a bug in bestbuy's system. And asked for money otherwise he would make it public. Is that so wrong? Hell to get off DMA mailing list I have to pay, either online with $ payment or by mail cost of the stamp and envelope and my time. They'll keep filling up your mailbox with their junk till you pay. Or phone companies that sell you antitelemarketer service, they are ones selling your phone number to the telemarketers. Or new cars now adays that have check engine light and annoying beep that comes on when you need to change your oil, if you change it yourself, the light still comes on, you need to take it to the dealer for them to reset the ECU.
Have you ever been to a turkish prison?
Tons of paperwork?
? ID =12263&c=206
Obviously you haven't heard of the Patriot Act, or the Domestic Security Enhancement Act.
http://www.aclu.org/SafeandFree/SafeandFree.cfm
* The government no longer has to show evidence that the subjects of search orders are an "agent of a foreign power," a requirement that previously protected Americans against abuse of this authority.
* The FBI does not even have to show a reasonable suspicion that the records are related to criminal activity, much less the requirement for "probable cause" that is listed in the Fourth Amendment to the Constitution. All the government needs to do is make the broad assertion that the request is related to an ongoing terrorism or foreign intelligence investigation.
* Judicial oversight of these new powers is essentially non-existent. The government must only certify to a judge - with no need for evidence or proof - that such a search meets the statute's broad criteria, and the judge does not even have the authority to reject the application.
* Surveillance orders can be based in part on a person's First Amendment activities, such as the books they read, the Web sites they visit, or a letter to the editor they have written.
* A person or organization forced to turn over records is prohibited from disclosing the search to anyone. As a result of this gag order, the subjects of surveillance never even find out that their personal records have been examined by the government. That undercuts an important check and balance on this power: the ability of individuals to challenge illegitimate searches.
It goes on and on. Where there once was vast amounts of paperwork, now a simple "it's a terrorist judge, sign this" and it's done.
Now, as long as that is used only against what most of us consider a "terrorist" (ie, a person who wishes to physcially and violently attack non-military targets for the sake of influencing political opinion), I don't personally mind too much. In Tulsa, we have a building that is a 1/3 (or somewhere around ther) replica of the World Trade Center (or what used to be the WTC). We also had a terrorist act in OKC. But I have a strong suspicion (backed up by numerous historical incidents) that these powers WILL be abused against our citizens that are not really "terrorists". The problem is that the bill(s) have past, and are now in enforcement.
Not that this really has anything to do with what the FBI did. I applaud them in apprehending this individual, and find is somewhat funny that is was done with such a simple method.
Maybe we DID take the blue pill. You wouldn't remember anyway.
I think I need to add something here. I have already done this several times without fear of prosecution. Prosecution? Please. There are buildings full of attorneys that would LOVE to get my case if somebody came after me for making a legitmate consumer complaint. Me, a small customer, tries to place an order on Big Company's website and, being a computer professional, notice it's insecure; I notify the company and they would try to prosecute me? That's not only silly, it's incredibly bad business. That just takes a non-issue and puts it on CNN or 60 Minutes. This isn't like cracking the encryption on a DVD or hacking through a firewall. This is a legitimate consumer complaint. Believing that Big Company is going to try and pin me as a cracker would take more resources ( and more problems when people actually DO get hacked ) than trying to extinguish me. I'm much more concerned they'll just ignore the problem.
The reason I have no fear is documentation. I have full records of everything I've done and did not do. I have every email I've sent. Other organizations also have records. I've told them ( the company) how to contact me if needed. What kind of 'cracker' prosecution is going to hold up against that? I've worked in corporate management before, and documentation is the most difficult thing to combat. Look at the case with SCO. If SCO can't produce evidence against IBM, their case is done. Period. That's documentation in action ( or lack of it in action, more than likely. )
Don't give me a bunch of case histories about companies crushing the individual. It happens, but I'm pretty confident that those individuals were fighting the company in some form. I'm not, and as I said, I turn the information over to other organizations ( FBI, SBI, whatever. ). You can toss out paranoid ideas all you want. I'm speaking from experience. I've done this at least a dozen times.
Most companies are aware there are "white hats" as well as "black hats", because most companies have tech people on their own staffs. What terrifies big companies is NOT that someone is going to blackmail them. Anyone who tries that WILL GET CAUGHT. What actually scares the heck out of big companies is that someone will start stealing identities and credit card numbers from their warehouse AND IT WILL MAKE THE NEWS. That's their motivation, not crushing me for complaining. When you return something to Best Buy, is it their policy to hit you with a baseball bat and yell at you with a megaphone until you leave?
If you put the same bill out in a public place (say, on a public sidewalk) and then go away, and someone takes, it's probably NOT theft.
/may/ be when the police do not need a warrant.
Technically, it's either larceny or embezzlement. The money is not yours. If you pick it up intending to keep it for yourself, it's theft. If you pick it up intending to follow the law and report the missing property to the police, you have acquired possession lawfully. If you change your mind once the money is in your pocket, it's not larceny, but it is embezzlement.
Of course, that's under old common law. These days, it's simply theft. The law requires that lost or abandoned property be delivered to the authorities. If it's not claimed by its rightful owners, then you'll get the property back from the cops.
Realistically, however, no one is going to report a $20 bill to the cops, and no one is going to care. But a sack of money? Keep it and you're committing a felony.
When does a resource stop being the "property" of someone? The simplest answer is when they have no control on that resource. Another
"Finders Keepers" is not the law. Also, the law related to the fourth amendment protections against unreasonable searches and seizures (the root of the requirement to obtain search warrants in some cases) has absolutely nothing to do with the definition of property rights, and when those rights end.
Going back to the Internet and theft: Theft usually requires the taking and carrying away of the tangible personal property of another - so you can't really "steal" a web page. But you do need to drop the illusion that it's OK to play around with other people's stuff (homes, web pages, etc.) just because their security can be easily circumvented. I could break into most homes simply by throwing a brick through the window. This "exploit" doesn't give me the right to root around in my neighbor's homes, just because they're too stupid to have their vulnerable windows bricked over. I can photocopy a book I borrow from the library. The fact that the publisher failed to provide adequate security by printing books that can be photocopied does not make my actions legal.
144l. ph34r my 133t l3g4l 5k1lz!
The article link now takes you to a registration page, to register for StarTrib content.
Luckily, I had read it the first time before the gauntlet was dropped.
I wonder if this will become a new trend. Bait Slashdot into linking to an interesting article you have, then switch it for a subscription page.
We need a new term for the behavior - SlashBS - Slashdot Bait & Switch.
It all depends what kind of crime.
The Zodiac Killer was never caught, but was still extremely famous. He left encrypted messages at crime scenes, some of which the cops solved, and some of which remain unsolved to this day, even with the full attention of public cryptologists trying to crack them.
ping -l 666 -n 666 special.host.at.bestbuy.com
fsckin' DUH!
Canivore for the feds? I'm starting an open source project to hold my valuable IPAV app's intellectual property and I'm going to call it Moronivore
It *is* a troll, but its clever - please mod up
I am very easy to get along with, but I don't have time to waste being nice to people who are being stupid. -Theo
...that Best Buy's web site is currently inaccessible?
--- Ban humanity.
I have scanned through the comments and most are talking about using html/images to track him. What if the FBI/TLA agency is just goofing everyone? - like mechanics telling someone that their "muffler bearings" need replacing.
:)
With that in mind, what if their "Internet Protocol Address Verifier" is just turning on the "receipt/delivery notification requested" option when they sent him their outgoing email - I have mine turned on by default and I know that there are a number of people who's email servers and/or clients return a read notification to me without them really realizing it. It won't give you the client IP is every case, but it does give you various amounts of useful info.
That wouldn't necessarily be defeated by using pine, etc, etc.
One of my favorite fun uses for read notifications is to see when the evil catbert trolls from HR are pawing through the email inbox of someone in the company that got canned or left without marking all my msgs as read. The trolls don't realize it sends me a read notification as they paw through, so when I get one from a "being phased out" email account, I send an email saying:
Oh my God, so-and-so did you come back? I hope so.
Sorry that you were gone, everyone missed you.
Ugh, what a job to have, like looking through someone's pockets after the're dead...
Am I missing something obvious or shouldn't all these computer criminal masterminds be taking advantage of the countless unsecured WAPs in every city? The bottom line is that every connection you make via wire from your home can plausibly be traced so why not get a laptop, wander around the city and send out your demands from the comfort of a park bench. Let the FBI send every tracer they can think of, they'll always end up with nothing. Seems kind of worth it if you're trying to lift $2.5 million. I wouldn't be surprised if within 5 years the gov't makes a law holding all WAP owners accountable for the security of their system.
CommentBot 0.7a running with args "-module irritate,disagree -target random"
If they're going to do surveillance at all, yes they do. Go back to a basic statistics book and read about false negatives and false positives, and what happens in cases where the event you're trying to detect is unlikely compared to the false-positive rate of your test. For a test sensitive enough to find a handful of terrorists in a large population, the false-positive rate WILL be high. This implies that, not only will they inevitably spy on innocent people, but will falsely accuse a number of them. If their criteria for determining if you're a terrorist give lots of false positives, tens or hundreds of innocents will fall into the net along with each terrorist. This is also why trials on secret evidence are such a great injustice: there are scenarios in which the government could be acting in good faith, using statistically valid techniques, and still lock up far more innocents than bad guys. An independent body needs to review that evidence, since there's no incentive for the government to admit that (say) 95% of the people they accuse are innocent. And based on what I've seen so far, I have little confidence in the good faith of this government-- that only makes the situation even worse.
It's naive to assume that any simple rule (say, spy only on Arab men aged 20-35) is going to significantly improve your rate of success. Too easy to anticipate and circumvent. It's about as misguided as putting massive resources into preventing another 9/11 attack. Successful terrorists are always changing their tactics. Whatever the next one is, you can be assured that it will be different than the last one. They can only succced by hitting us where we're NOT looking, and by forcing us to expend our resources looking for them where they're not.
Note further that the high false positive rate, and the government's refusal to be accountable for it, will lead to a situation where innocent citizens rightly mistrust the government. This will compromise their ability to gather worthwhile information, and will make us all less secure.
These observations do not assume malign intent on the part of the government. Merely the everyday venality of politicians. I, for one, mistrust the Bush administration's motives as well as their methodology. None of this would encourage a rational, well-meaning person to risk their own personal freedom to provide the government with information of unknown quality that might thwart an attack. Odds are it's irrelevant, and even stronger odds say that you'd be putting yourself at risk of continuing harassment and possibly indefinite incarceration by contacting them. Conclusion: police-state tactics can never improve security. They just make life more threatening for innocent people.
We won't get anywhere until we realize that the tradeoff is not freedom versus security, it's justice versus security. And that tradeoff only applies if the government is behaving honestly. Otherwise, both justice and security are lost.
Get your teeth into a small slice: the cake of liberty
I managed to get a hold of the source code for the internet address verifier. Here goes:
."
#!/bin/bash
usage()
{
[ "$1" ] && echo "$0: $*" >&2
echo "Usage: $0 " >&2
exit 1
}
[ "$1" ] || usage "You must supply the criminal's email address"
email=$1
domain=${email##*@}
mxname=$(host -t mx "$domain" | sed -ne 's/.* \(.*\)/\1/p')
mxaddr=$(host -t a "$mxname" | sed -ne 's/.* \(.*\)/\1/p')
netblock=$(whois "$mxaddr"|sed -ne 's/[^(]*(\([^)]*\).*/\1/p|tail -1)
netowner=$(whois "$netblock")
echo "Your next step is to issue a subpoena against the following party - probably an ISP."
echo "They need to give you the current user of the IP address $mxaddr."
echo "(This may very well point back to the same ISP)."
echo "This party, in turn, must turn over the identity of the email account
echo "$netowner"
Yes, when you click a link. But Outlook is still using the IE engine to render any HTML-formatted messages.
I hope you're keeping up with the IE security fixes, and not assuming that you're safe just because Moz is your default browser.
Interesting fact:
:-)
If your phone company bills the government for a tap (they can sometimes) check your bill carefully. If it's anything like Canada, this may screw up the taxes (clearly, the wiretapping charge won't appear on the bill, but the computer may forget to deduct the charge from the taxes portion of the bill as they did for Canada).
Just thought you might find it interesting.
If you could be told what you can see or read, then it follows that you could be told what to say or think - BoC
Maybe you'll learn something... just maybe.
Sivaram Velauthapillai
Sivaram Velauthapillai
Seeking the meaning of life... @slashdot of all places