Slashdot Mirror
Feds Thwart Extortion Plot Against Best Buy
hiero writes "From an article
in the Star Tribune: 'Federal authorities said Tuesday they thwarted an extortion plot against Best Buy Co. Inc. by a man who sent the company an e-mail threatening to expose what he claimed were weaknesses in the retailer's computer system unless he was paid $2.5 million.' What's really interesting to me, though, is this paragraph further on in the article: 'The federal search warrant was obtained the morning of Oct. 24 and allowed the FBI, with Best Buy's cooperation, to use an Internet device known as an Internet Protocol Address Verifier. It contained a program that automatically sent back a response to Best Buy after the company sent a message to the e-mail address. The response allowed investigators to identify Ray as the sender of the e-mail threats, according to the government.' Internet Protocol Address Verifier? Is this Carnivore in action?"
I think it's called a return receipt :-D Probably was using Outlook which automagicly sends one when requested.
Blogzine
That's what happens when you try to extort a big company using Outlook.
"0101100101? It's just jibberish. *looks in mirror, gasps* 1010011010@!? AHHHHHH!!"
Okay... I'll do the stupid things first, then you shy people follow.
[Zappa]
and this is where he's going to say his computer was hi-jacked, right? Even Carnibore has its limitations.
Easy does it. You don't need a big surveillance program, just add a bug to your email that "grabs" the reader's IP addy and voila!
Easy does it, apply the KISS principle to life.
~~~Please pass the salt, I hate unsalted MD5s
sounds so much better than "ping"
I think that it would only work if you were able to obtain an email address that a spammer actually checked, and we all know how hard those are to come by.
"0101100101? It's just jibberish. *looks in mirror, gasps* 1010011010@!? AHHHHHH!!"
One one hand, if a genuine white hat hacker finds an exploit in a network and told the owners about it, s/he finds himself ostracized for the actions, and is threatened with legalities.
And on the other hand, what this guy tried to do was establish a "business relationship" -- notice that he did try to contact them first with the offer to help them:
The e-mail also offered to establish an unspecified business relationship between the sender and Best Buy, adding: "Without your response, we are obligated to share the security hole with the public for their protection. As a result, Best Buy may experience a loss in business, thefts and lawsuits."
Ofcourse, once he noticed he wasn't getting anywhere, he decided to resort to good ole' blackmail.
Honestly, this was bound to happen some day or the other. When legitimate security people point out bugs and holes, they get treated like scum and are threatened with law suits. So whats the best thing to to? Threaten the companies with money. Even if 0.1% of the companies gave in, it still is a way of making money.
Good, atleast this way companies will be more careful about protecting data.
Hmm, sounds like a fancy name for a computer expert. All you have to do is read the SMTP headers in most email and it will reveal the sender's IP. Just trace it back down the line of servers through which the email was routed, and you get back to the original IP address.
If the sender is spoofing headers, however, this becomes more difficult. Why not just subpoena the ISP for their email data? Doesn't the server keep a log of what IP addresses sent which pieces of email?
For example:
Received: from [65.119.30.157] (helo=SMTP.magnellmail.net)
by snoopy-bak.runbox.com with smtp (Exim 4.24)
id 1Ae9TJ-0006F6-B0
for xxxxxxxx@runbox.com; Wed, 07 Jan 2004 09:55:25 +0100
Received: from mail pickup service by E1SSL2 with Microsoft SMTPSVC;
Wed, 7 Jan 2004 00:56:48 -0800
The above shows that someone at 65.119.30.157 sent this email. It went through their mail server (magnellmail.net) to runbox, my provider. From there, Runbox directed it to my Inbox when I opened Outlook.
There is also a very unique message ID at the end of the headers section:
Message-ID: [E1SSL23ZpEVmkWFBXZG000011b9@E1SSL2]
Could this be used by the Email provider to find out who sent emails, if the IP address is missing or spoofed?
Homestarrunner.net -- It's Dot Com!
I did domething similar once. I put a tiny transparent image URL in a letter to try to get the IP address of someone. Then I monitored the server logs where the image was hosted.
"God fights on the side with the best artillery." - Napoleon, Marshal of France - speaking truth to power
Is it when he offered a "business relation" in exchange for fixing the problem? Or was it when he threatened to disclose the flaw? Or was it merely because he wanted money in return?
Had he just disclosed the flaw, would he more or less a criminal, ethically and legally speaking? It seems that worse would have come if he had simply published the flaw right away.
Was he justified in asking for compensation for his findings? If not, this seems to obligate us to "work for free" when discovering such a security problem.
What do others here think?
This is just a case of bad journalism. Of course, there are many methods of getting the IP of the receiver of an email The most common is a webbug (a link to an image on a server you control), but that requires for the culprit to use a mail client that renders HTML.
"Internet Protocol Address Verifyer" sounds like something you'd find in a Movie OS. Of course, like all other buzz words, the name is not related to the alledged function.
They either used a webbug, og checked the IP in the header of the mail he sent with his claim.
Personally, Why isn't technology like this being adapted to fight SPAM. Maybe the FBI is trying to keep tools like this under wraps so they can continue to use it against people, rather than knowledge of its existance being a deterrent... double-edged-sword i guess. I'm honestly curious how serious the extortionists were... The scheme sounds very half-hatched to me...
~~~ SCO sued me because I printed this t-shirt with a Linux driven printer...
They got a warrant BEFORE they used the program. Whatever the program did - read information from his PC or just return IP address - it was a valid, legal search. We should be considering this a victory for our rights. The only way I can see anyone complaining about this is if the warrant was improperly obtained, but it seems entirely reasonable to "search" the email address that has been attempting blackmail.
They probably just read the mail headers as soon as he replied to the letter they sent him. From this and the time the email was sent they probably had no trouble asking his isp for the user information. Criminals are not always the smartest apples and he probably didnt even have a way to crack the website.
If he wasnt clueless he would have used a dummy email account and checked it via rental computer or at the very least a dial up account using *69 ( which can still leave your number ) and a prepaid credit card / gift card.
This guy reminds me of the old irc script kiddies who would do things from their house and wonder how they were tracked down. While anonomyzers are available it makes me wonder if he,
a. used one
b. had used a computer before
As to the FBI ip verifier i find it hard to believe they have anything more advanced then the current jscript / asp / log parsers to pull ip information.
AFIK the absolute most a email address can yeild is the ip of the server. However with the email headers im sure you can get a ip without too much trouble with a warrant.
Karma's over rated. Speak your mind.
Make sure you turn off Message Disposition Notification in your e-mail client.
Sheesh, evil *and* a jerk. -- Jade
Internet Protocol Address Verifier? Is this Carnivore in action?"
That'll be a tiny 1x1 pixel gif embeded in a HTML e-mail called from the feds server.(AKA web bug... You cant turn off HTML in M$ LookOut and this dude dosent sound very clued up)
Presto, the feds know who opend the mail how long they looked at it etc etc etc.
A top tip (tm) is to embed a web bug in a job aplication e-mail. Its interseting to watch your aplication being pushed around various departments and see who actually reads it.
Anyone quoted by a reporter knows how little they understand
Don't believe what you read is the truth.
Over here there is a Congressional Statement of what Carnivor "officialy" does, or is "allowed" to do. One paragraph of this statement:
Carnivore is a very effective and discriminating special purpose electronic surveillance system. Carnivore is a filtering tool which the FBI has developed to carefully, precisely, and lawfully conduct electronic surveillance of electronic communications occurring over computer networks. In particular, it enables the FBI, in compliance with the Constitution and the Federal electronic surveillance laws, to properly conduct both full communications' content interceptions and pen register and trap and trace investigations to acquire addressing information.
gives us the gist of it. So yes this very well be Carnivore in action.
"It usualy starts with some screaming. Afterwards there is much running around."
This is the first time google has heard about it as well, apparently.
I'm much more concerned that their cash registers use WiFi without a lick of encryption... I read several stories a while back about people sitting out in the parking lot with sniffers, capturing credit card information...
Somehow, this power accumulation and surveilance (sic) reminds me of Senator Palpatine. I just hope I'm wrong.
Huh. It reminded me of Stalin and Beria and the NKVD, but you're right, better we should take our lessons from space opera than from history.
George Lucas's fertile imagination is so much more convincing than those ponderous, dusty history books. And you can't eat popcorn and jujubes while reading books, it gets the pages too sticky.
Opinions on the Twiddler2 hand-held keyboard?
Even there may be something that may trace from wich (IP) address an event happened (thou I completely agree with the 1x1 gif idea) . I don't see how it may prove something in court.
What if the email was send (the smtp server was invoked) from a compromised computer. There are lots of win98 online with hundreds exploits ready waiting for somebody who needs an IP to do something from. What if the person uses a cascade of proxyes and shells.
I will just mention all the possibilites the iproute2 package gives to move network segments and obscure what is going on.
We should do everything possible to prevent the court system to take computer generated information (logs) as a reliable evidence, because it may be just the start of the witch hunt...
You cant turn off HTML in M$ LookOut
;-)
Oh yes you can - something I rely on to avoid spammers using the same trick!
this dude dosent sound very clued up
My thought exactly
A top tip (tm) is to embed a web bug in a job aplication e-mail. Its interseting to watch your aplication being pushed around various departments and see who actually reads it.
h eck.ins.govr rorism.dhs.org. com
Yes, it's very interesting. For example, here's the log of all the machines who accessed my web bug when applied for a job at the DHS:
frontdesk.dhs.gov
hr.dhs.gov
check.dhs.gov
c
check.irs.org
it.dhs.org
counterte
legal.dhs.org
submitsubpoena.aol
bust.usmarshals.gov
brb 2 secs, someone's at the door...
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
Anyone that reads 666 otherwise known as the hacker quarterly knows about all the problems in Best Buys network.
It even goes in depth on how to get into thier private network from a display PC.
How to find info on hiring and firing people etc.
How to order stuff and have it sent.
and few other ways of hiding yourself, as below
1. Dedicated firewalled Linux Laptop with WLAN, and changing MAC
2. WarDrive around for a unsecure internet connection.
3. Use proxies from unsecured PC's, lists available from DBL providers, or you Email server logs.
4. Setup up a web mail account, and send business proposal.
5. WarDrive to other access poiunt for continuing dialog
6. Travel around a bit to avoid setting a Wardrive pattern
I would think this would be very difficult to trace without social engineering
mailto:EatSpamAndDie@princeweb.com
Yeah but since PATRIOT, everything is a valid search...
Is this Carnivore in action?
:)
No, it isn't. Like another poster said, this is really just a web bug. Carnivore is a sophisticated system for parsing billions of e-mails and flagging interesting things like threats against the President for analysts to examine, but has nothing to do with validating return addresses or anything like that.
The only way to actually know that someone is actually receiving your e-mail at a particular location is to include a web bug that reports their IP address back to you, by opening a socket connection directly to something on a server you own (e.g. an image). So either include an image in the e-mail which is requested from your server, or include a trojan that "phones home" when they run it.
It works. Try it the next time you want to see who's really spamming you. Just send a web bug to whatever the response address is they want you to contact, (you know, for your Nigerian money-laundering instructions), and then examine your server logs carefully to find out where they really are in the world. Of course, you could also send them a backdoor if you wanted, instead of just a beacon, but I would never countenance such uncivilized behavior
I guess the DTMF has changed!
Ok , thats a bit obscure but a real hacker will know what I mean.
Exactly, Everyone goes into a big sniff when the FBI is using Carnivore or whatever else. But as I see it the Bad Guys have the same type of tools just under many different names. Your phones can be tapped, there could always be an agent listing into you conversation out in the street, you home can be bugged, and now they monitor your internet connection. This is not a change in our privacy, basically by law when ever the government get a warrant (A warrant is issued when their is probable cause) the officials can invade our privacy. Now the FBI neither has the Manpower or the money to monitor everyone on earth or even the USA or Even New York. So they go after who they expect are the trouble makers. Now the Bad Guys who have their collection of smaller tools who can do the same thing will be targeting after the common folk because they don't care what damage is done, Plus they are a lot more of them then the FBI.
So who would you rather have spying on you. The FBI who has to deal with Tons of paper work to even start spying on you then needs to make a strong case that you are a criminal, worthy of prosecution. Or some random Hacker/Cracker guy who just randomly found your IP address and spies on you. Then is willing blackmail you into whatever morally questionable thing you do on the internet (say your job is a minister and you have been viewing adult porn sites (Which is legal but you don't want it to be public)).
I much rather have FBI spying on me and then realizing well he is not doing anything illegal. Compared to a random hacker going, Ohh I bet he doesn't want people to know that he does that.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
You have to realize that we are getting our information about this incident from a NEWSPAPER, which the very least reliable source for technical topics. Remember this clueless newspaper article?
I'd say we know little about what actually happened here.
(Somewhat off-topic, but a related topic, honestly)
About a month ago I discovered what could be deemed a weakness in a relatively popular online merchant's order status system, allowing anyone to view the order status for any order in the system just by changing an ID field in the URL. I often try changing such values in URLs like this for no real reason (a habit from designing my own web-based scripts), and I've never found an exploit until now.
So with a simple perl script, it would be possible to download and parse the mailing address, shipping address, items ordered, amount paid, credit type (NOT credit card type or credit card number, thankfully) and other assorted information for any given order. After some brief checking, I determined there were over five million orders viewable in this manner, going back a few years.
So what am I supposed to do? I have no interest in establishing a 'business relationship' with this online merchant, telling everyone how to do it seems like it would cause more harm than good, and I fear being ostracized or even litigated for 'hacking' if I tell the company, even if all I did was change a sequential, non-encrypted number in an URL.
Or is the information accessible not a big deal to worry about?
Imagine his surprise when he received a $2.5 million Best Buy Gift Card in the mail. Doh!
I imagine that yep, this person isn't savvy enough to not use html email, and they slipped a web bug into the email. Hell I'd try it just on the off chance, and it looks like it paid off for your Feds that time...
I've had one case where a friend and I were writing a boobytrapped shell on a Linux box, to use as the login shell for a suspected system cracker, and he logged in, saw the new shell (which we hadn't quite installed yet) and RAN THE BLOODY THING FOR US! We got all the data we needed to track him down right there and then, phoned his ISP and got him shut off on the spot.
So - yes, even the more savvy often do really really stupid things...
-- ted russ http://www.arach.net.au/~ted/mydynes/ http://www.arach.net.au/~ted/myblogs/
Uh, the likelihood is that it was a web bug, in which case webmail won't help - the request comes from your browser, and thus IP. In fact, webmail makes it worse, because a lot of email software can disable web bugs or can't display them to begin with, web browsers don't tend to disable loading remote images ;-)
Free Java games for your phone: Tontie, Sokoban
This is not surveillance. This is just identifying the IP address of the recipient of email. Seems to me that's rather similar to using ping or whois. IP addresses and domain registrations are public, not private.
/. posts that sxeem to believe otherwise. Get over it. The Internet is not special and people don't get a free pass because they use it for criminal behavior.
It's also rather similar to your local mail carrier knowing where you live. Is that surveillance, too, or are you simply paranoid?
If Best Buy had received the same threat via snail mail, and the FBI looked at the return address on the envelope, would you be screaming about surveillance?
The Internet is not some mystical land that exists apart from reality and the law, contrary to the constant stream of silly
Next time, please think bekore exposing yourself as a paranoid llon, OK?
-- Slashdot: When Public Access TV Says "No"
Huh. It reminded me of Stalin and Beria and the NKVD, but you're right, better we should take our lessons from space opera than from history.
In Imperial Coruscant, history takes lessons from YOU!
Hey dumbass! If you had bothered to do even the simplest of searches, you would find out that Best Buy stopped doing this long ago.
without their permissions you are a criminal, both legally and morally. My stuff is my stuff and I'll thanky ou to keep your hands off it. If you wish to audit anyhting I have, physical or virtual, you'd better ask my permission first, or you'll face consequences.
This seems perfectly reasonable and there is plenty of precident in the physical world:
My house has many known security flaws. The largest would be the windows. They are easily broken with just a rock, allowing access. My door would also be a flaw, it's solid, but nothing a battering ram in experienced hands couldn't break down in a few minutes. My lock is aslo a flaw. IT's better than most, a high security lock that is much harder to pick than normal, but it still is pickable.
So, if someone breaks into my house and demands money to fix it, should I honour that? No, I'd by perfectly jsutified in holding them at gun point and calling the police to have them punished. Regardless of thier intent, it's MY house and you'd better not enter it without my permission.
It is similar for computer systems. If I pay you to hack my stuff and report on it, great. YOu are providing a valuable service and I thank you. IF you break into my stuff without my permission, you are a criminal pure and simple.
Also, demanding money ex post facto is something else we have a law against, it's called balckmail and is illegal.
Look, if you want to find flaws in stuff, do it legally. Contact the owner and ask if you may hack them. If they say no, move on. IT is not your duty or right ot mess with their stuff without permission.
Look, if you have a peice of software and you hack it on your own systems and/or network, that it leagal. You then publish teh exploit, also legal. However if you come and hack MY network without my permission, that's NOT legal.
People who illegally break into systems deserve no more respect or consideration than people who illegally break into houses. You have no right at all to enter or use other people's property without their permission. Don't pretend like because it is a computer system that makes it any better.
IT's like lock picking. IF you want to learn to pick a lock and find out its venurabilities, go right ahead. But do it on a lock you own. But the lock in question and play with it. To go to someone else's house and try on their lock without permission is illegal and immoral. You've no right to mess with their property.
So if you get asked/hired to test someone's security (physical or virtual), great. Do what you can and give them a report. If you have something you own (physical or virtual) and you discover a security flaw, great, make it known so a fix can be developed. But do NOT presume you have the right to invade the property of others. It doesn't matter if it is venurable or not, it's not yours so you keep out.
The #1 tech support issue after Office 2003 comes out:
"Where the heck are my images? Please make it act like the old Outlook."
Its good MS is doing this by default, but most users couldn't care less about security/privacy especially when it inteferes with "purty pictures."
The problem with an embedded image bug is that if the recipient views the source of the email -- and presumably this alleged extorter is a techie -- it's easy to spot such a bug, and so there's a real risk that including a bug would tip him off to the investigation.
So, it may be an HTML bug, but perhaps not...
Here's what I do: Bitty Browser & Andromeda
Obviously you have never lived in a country that kills its OWN citizens. Obviously you haven't heard of the totalitarian regimes in Germany, USSR, and USA's close friends Saudi Arabia and Egypt. Obviously you haven't heard of the damage done to civil rights activists in the 60's by the FBI and the CIA. Obviously you have never been targetted by the police. Obviously you are not a minority man (particularly black) living in some parts of USA. Obviously you haven't heard of the infiltration of the FBI by organized criminals (particularly the Italian mafia in the 60's and 70's). Obviously you haven't heard of police fabricating information and jailing people. Obviously you haven't heard of the government cooking up bogus charges and jailing people. Obviously McCarthyism is not part of your collective mind. Obviously you haven't heard of John Ashcroft's recent decree to spy on antiwar activists. Obviously you believe the legal system represent justice....Obviously you underestimate the power of the goverment.
So to answer your question, I would rather have some guy off the street spying on me than the goverment ANY DAY OF THE WEEK! There is something that you don't understand about the government--any government. Governments are far more powerful than 1000 people put together! They have immense power. The illusion of a legal system--which IS an illusion--does not change any of this. One just needs to look through the history of the government that you live under to see what I mean (I picked USA but you can pick any govt).
Sivaram Velauthapillai
Sivaram Velauthapillai
Seeking the meaning of life... @slashdot of all places
We applaud the hackers who so cleverly get around protections on technology. We had our "Free Kevin Mitnick" and "Free Dmitry" campaigns.
Here is a nice hack done for a good reason by the same law enforcement that is supposed to investigate and stop such crimes as extortion. And how do we react? Government spying! Conspiracy!
Really. That's just not very reasonable on our part.
Hot Damn! It's the Soggy Bottom Boys!
Hmmm. Really reminds me more of J. Edgar Hoover. But you are right. Better we should take our lessons from across the oceans than from the fascists in our own backyard.
(not that Stalin and Beria were nice guys, mind you -- it's just that there aren't mass executions in the U.S. yet)
I've actually run into this issue a few times. The action I've taken in the past pretty much directly relates to the severity of the security flaw. For example, I've seen URL hacks which allow you to grab another customer's credit card information, and then some which allow only address information.
My rule of thumb is that if a piece of information can be obtained and tracked to a specific individual, it's dangerous. That's the rule I use in my work as well.
When I decide the situation warrants it, I send a professional, formal email to the company ( also the web admin if there is one ), stating what I found, screenshots and leave it at that. Sometimes I will point out that I intended to place an order, but halted when I saw the issue. I also let the company know they may contact me if more information is needed.
This is what has happened in the past following these emails:
1. Almost all companies send me an email thanking me and letting me know the problem has been corrected, and it has been. Case closed.
2. I get a nasty email from the company ( usually this is with SMALL operations) telling me to take my business elsewhere. At first I would attempt to politely explain the risk, but soon realized that some sites have no intention of listening to me, and gave up. In that case, I may notify the BBB or other organization just to get someone else on their tail. I don't have time to chase down other people's security holes, so the best I can hope for is to let others know.
In any case, I always use the Enron rule: What if I later had to explain my actions to a grand jury?
As opposed to a big company who tries to extort us to use Outlook?
My beliefs do not require that you agree with them.
Here are three ways to get on America's Dumbest:
1. Rob Taco Bell right after filling out job appication and interview. Be arrested when cops show up at your address on the application.
2. Send extortion/blackmail emails using MS-Outlook from your normal ISP account. Be busted when FBI sends email using marketing tool like Neighborhood Email or eZine Manager. FBI is too embarassed to admit they used an e-newsletter tool and come up with the "ip address verifier" device.
3. Shoplift naked. Be arrested when cop identifies the incredibly stupid butcher's meat chart tatoo when streaking through campus on a dare.
4. Keep crack pipe, crack and lighter in glove box. Be arrested when you see a billboard advising "Drug checkpoint next exit" and begin throwing crack, lighter and pipe out the window while police are video taping looking for people throwing drugs and paraphanellia out the window.
-- $G
Can we use it to trace and arrest those bastards that send out 'pay us $699 for Linux' extortion letters?
This is another reason I like reading /. You guys give me a good whack on the side of the head on nearly a daily basis.
.gif files where a server-side plugin can compare the requested .gif to a known email and verify "yep - that addy is active" - even when most people ignore the unsubscribe links.
I read this and was foolishly thinking (probably like many do) that "oh, if I don't download an attachment and execute it there really is no danger. I mean really, if I don't "run" anything, how would anyone know?"
Silly wabbit is right. It's another case myself of not being able to see the forest for the trees.
I guess ANY HTML email can be malicious in a sense that it can snarf info if it actually interprets and points you to ANY website when you read it in its rendered state.
Talk about eye opening. I'll bet 90% of the general public don't actually realize this can easily be done for targeting purposes. With this in mind it's probably not hard (and don't flame me for not knowing this guys) but targeted spam in order to verify addresses could point to "specially coded"
"The aspects of things that are most important to us are hidden because of their simplicity and familiarity" - Ludwig Wittgenstein
Never have a philosophy which supports a lack of courage
Thankfully, no company has yet exercised option 3: prosecute you for computer crime. It doesn't matter if they don't have a case or what laws are on your side -- they have the money, power, and desire to utterly ruin your life regardless.
These people market and sell a product they probably know is shoddy. What makes you think they'd have the moral fibre or restraint to refrain from shooting the messenger? You can't trust their software, what makes you think you can trust them?
I've finally had it: until slashdot gets article moderation, I am not coming back.
Of course, this only works for people crazy enough to open emails in a program that accesses the web for content. Text-based email readers are obviously the way to go when sending threats _and_ opening email!
Interesting idea. I wonder how to get per-process firewall functionality on Linux.
The only way to actually know that someone is actually receiving your e-mail at a particular location is to include a web bug that reports their IP address back to you, by opening a socket connection directly to something on a server you own (e.g. an image). So either include an image in the e-mail which is requested from your server, or include a trojan that "phones home" when they run it.
Wrong. If you were talking about you or me.. that would be true. But if you were talking about an organization that had the means to find any email on any provider, then all you would need is to include a unique identifier in the email so that you would be able to locate among the billions of uninteresting ones.
I used to monitor commercial pager traffic. So that on my PC I would see every page, from every person on a given provider. If I wanted to find the "capcode" (basically a pagers ESN) of a user on the system, I would only have to send them a page with a unique number and grep it. From that point on I could single that user out for monitoring. So, this could be the same thing, only with email. Word.
Didn't anyone else think that maybe just asking the reporter would do the trick? His email address is right at the bottom of the article.
<sarcasm> oh wait - this is slashdot right - only two people actually read the article. </sarcasm>
I emailed Mr. David Phelps asking what an "Internet Protocol Address Verifier" was and his brief reply was the following.
"it's commonly referred to as a web bug. i used the term as contained in the government's search warrant."
So while the theorizing here did come up with that as a possibility - it also came up with lots of other BS.
Now the bizarre thing is that the feds used such a wierd term. Then again to a judge or lawyer the term "web bug" probably seems pretty bizarre.
I bet he was just trying to get his rebate money from them.
-------- This space intentionally left blank --------
If you're looking for sources of information, Ward Churchill and Jim Vander Wall's book Agents of Repression: The F.B.I.s Secret Wars Against the Black Panther Party and the American Indian Movement (South End Press) is a good start. When large numbers of readers refused to believe the stuff they had written (even though it extensively referenced the FBI's own documents), they did a follow-up book that just reprinted the FBI material called The COINTELPRO Papers: Documents from the FBI's Secret Wars Against Dissent in the United States. Harder to disbelieve that, I guess.
Actually this would make an interesting Slashdot topic. I've often marvelled at the fact that in many companies, certain members of an IT team have the potential to commit serious crime, AND cover their tracks until well after they've left the country. Whereas normal personel in a company can work there for 20 years and not have access to sensitive information, an admin/developer can often wander in to a job and have complete access to every part of the business within a day...
Code, Hardware, stuff like that.
Tons of paperwork?
? ID =12263&c=206
Obviously you haven't heard of the Patriot Act, or the Domestic Security Enhancement Act.
http://www.aclu.org/SafeandFree/SafeandFree.cfm
* The government no longer has to show evidence that the subjects of search orders are an "agent of a foreign power," a requirement that previously protected Americans against abuse of this authority.
* The FBI does not even have to show a reasonable suspicion that the records are related to criminal activity, much less the requirement for "probable cause" that is listed in the Fourth Amendment to the Constitution. All the government needs to do is make the broad assertion that the request is related to an ongoing terrorism or foreign intelligence investigation.
* Judicial oversight of these new powers is essentially non-existent. The government must only certify to a judge - with no need for evidence or proof - that such a search meets the statute's broad criteria, and the judge does not even have the authority to reject the application.
* Surveillance orders can be based in part on a person's First Amendment activities, such as the books they read, the Web sites they visit, or a letter to the editor they have written.
* A person or organization forced to turn over records is prohibited from disclosing the search to anyone. As a result of this gag order, the subjects of surveillance never even find out that their personal records have been examined by the government. That undercuts an important check and balance on this power: the ability of individuals to challenge illegitimate searches.
It goes on and on. Where there once was vast amounts of paperwork, now a simple "it's a terrorist judge, sign this" and it's done.
Now, as long as that is used only against what most of us consider a "terrorist" (ie, a person who wishes to physcially and violently attack non-military targets for the sake of influencing political opinion), I don't personally mind too much. In Tulsa, we have a building that is a 1/3 (or somewhere around ther) replica of the World Trade Center (or what used to be the WTC). We also had a terrorist act in OKC. But I have a strong suspicion (backed up by numerous historical incidents) that these powers WILL be abused against our citizens that are not really "terrorists". The problem is that the bill(s) have past, and are now in enforcement.
Not that this really has anything to do with what the FBI did. I applaud them in apprehending this individual, and find is somewhat funny that is was done with such a simple method.
Maybe we DID take the blue pill. You wouldn't remember anyway.
I think I need to add something here. I have already done this several times without fear of prosecution. Prosecution? Please. There are buildings full of attorneys that would LOVE to get my case if somebody came after me for making a legitmate consumer complaint. Me, a small customer, tries to place an order on Big Company's website and, being a computer professional, notice it's insecure; I notify the company and they would try to prosecute me? That's not only silly, it's incredibly bad business. That just takes a non-issue and puts it on CNN or 60 Minutes. This isn't like cracking the encryption on a DVD or hacking through a firewall. This is a legitimate consumer complaint. Believing that Big Company is going to try and pin me as a cracker would take more resources ( and more problems when people actually DO get hacked ) than trying to extinguish me. I'm much more concerned they'll just ignore the problem.
The reason I have no fear is documentation. I have full records of everything I've done and did not do. I have every email I've sent. Other organizations also have records. I've told them ( the company) how to contact me if needed. What kind of 'cracker' prosecution is going to hold up against that? I've worked in corporate management before, and documentation is the most difficult thing to combat. Look at the case with SCO. If SCO can't produce evidence against IBM, their case is done. Period. That's documentation in action ( or lack of it in action, more than likely. )
Don't give me a bunch of case histories about companies crushing the individual. It happens, but I'm pretty confident that those individuals were fighting the company in some form. I'm not, and as I said, I turn the information over to other organizations ( FBI, SBI, whatever. ). You can toss out paranoid ideas all you want. I'm speaking from experience. I've done this at least a dozen times.
Most companies are aware there are "white hats" as well as "black hats", because most companies have tech people on their own staffs. What terrifies big companies is NOT that someone is going to blackmail them. Anyone who tries that WILL GET CAUGHT. What actually scares the heck out of big companies is that someone will start stealing identities and credit card numbers from their warehouse AND IT WILL MAKE THE NEWS. That's their motivation, not crushing me for complaining. When you return something to Best Buy, is it their policy to hit you with a baseball bat and yell at you with a megaphone until you leave?
It all depends what kind of crime.
The Zodiac Killer was never caught, but was still extremely famous. He left encrypted messages at crime scenes, some of which the cops solved, and some of which remain unsolved to this day, even with the full attention of public cryptologists trying to crack them.
Maybe you'll learn something... just maybe.
Sivaram Velauthapillai
Sivaram Velauthapillai
Seeking the meaning of life... @slashdot of all places