Slashdot Mirror
Hacker Penetrates T-Mobile Systems
An anonymous reader writes "SecurityFocus.com reports 'a sophisticated computer hacker had access to servers at wireless giant T-Mobile for at least a year, which he used to monitor U.S. Secret Service e-mail, obtain customers' passwords and Social Security numbers, and download candid photos taken by Sidekick users, including Hollywood celebrities.' Demi Moore and Paris Hilton are involved."
At first, I got "Nothing to see here" ... but Paris Hilton? Sounds like that guy had plenty to see ;-)
Genovese provided SecurityFocus with an address on his website featuring what appears to be grainy candid shots of Demi Moore, Ashton Kutcher, Nicole Richie, and Paris Hilton.
:)
Okay, all my Karma points for a link.
The same source also offers an explanation for the secrecy surrounding the case: the Secret Service, the source says, has offered to put the hacker to work, pleading him out to a single felony, then enlisting him to catch other computer criminals in the same manner in which he himself was caught. The source says that Jacobson, facing the prospect of prison time, is favorably considering the offer.
As much as we make fun of the computer knowledge of our governments, they finally seem to be on the right track. You must have some of these guys in your pocket to really have a chance. Can you trust them? Probably not completely... but if they bring you some knowledge, skills, and some of the most damaging players, then it's worth it.
Q: If I were a customer and I found out that my identity has been stolen, could I sue T-Mobile for any damages since they knew of the problem, or perhaps for just having breakable security?
BTW, the Black Hat's email address (and online identity) is ethics@netzero.net and at one point was looking for work as a security administrator. Not a big surprise that he was interested in the field, but 'Ethics'!
The force that blew the Big Bang continues to accelerate.
Didn't know Demi Moore and Paris Hilton were that good with computers.
...and download candid photos taken by Sidekick users, including Hollywood celebrities.' Demi Moore and Paris Hilton are involved.
Bleaugh! That's punishment enough for the guy, don't you think?
The Register's Article
v4sw6PU$hw6ln6pr4F$ck 4/6$ma3+6u7LNS$w2m4l7U$i2e4+7en6a2X h
Dear God what have we become?!!!! Barbarians,..one and all....
Hacker... you mean cracker?
does it really exist?
i wish i was but oh well
Why am I not surprised?
Screw you all! I'm off to the pub
http://lists.jammed.com/securityjobs/2001/09/att-0 059/01-RESUME_OF_NICHOLAS_JACOBSEN.txt
Surely the Secret Service would encrypt anything important? I would have though that they would not have used a commercial network service like that. But then again mum always told me not to think too much.
Smokey, this is not 'Nam, this is bowling. There are rules.
That notification must be made in "the most expedient time possible and without unreasonable delay," but may be postponed if a law enforcement agency determines that the disclosure would compromise an investigation.
If I was a T-mobile customer I don't know if I would be upset or not. On one hand, I understand they wanted to catch the guy. OTOH, if my account was compromised I would want to know.
I bet the American public will be more flabergasted over the fact that he has pictures of Demi Moore and Paris Hilton that haven't been released then the fact he was spying on the Secret Service.
Some days I'm proud to be american, but then the drugs wear off.
*DrugCheese rants*
Why are secret service members sending out e-mail from unsecured wireless access points?
I hate sigs.
Can somebody please post the Paris Hilton photos?
Where is the -1 Disgusting mod when you need it?
I dunno who it is
but it prolly is fhqwhgads.
Not to wear a tinfoil hat, but I think it's fair to assume that if a blackhat managed to compromise a whole system, he may have also managed to find a patsy for the whole thing. I'm not seeing the word "confessed" anywhere in that article, so perhaps they got the wrong guy? Only a proper trial will tell if he is actually the right guy or not. Geez you'd think the guy never heard of Tor or privoxy before...
/Tinfoil Hat
If *you* are going to read the Secret Service's email, wouldn't you do it better than this?
Seems like they have the wrong guy to me.
The dangers of knowledge trigger emotional distress in human beings.
Just because he is reading Secret Service mail doesn't mean it is important. For all we know the mail could read like this: On todays lunch menu we are not going to be having the chicken fajita due to a lack of chicken, we will be having PB & J's. Surely they have secure transmission lines (& methods of encryption) , so why would they send anything of importance over T-Mobiles network?
feh, lots of things are pointless, this one too
FA says that he was offering ssn, dob, passwords, etc. for sale.
So... let's say that I want to patronize his obviously grossly illegal service. How do you consummate a transaction like this? Cash in a Fedex envelope? Sent to whom? A P.O. box?
Who performs first? Are there criminal escrow services?
And how stupid do you have to be to take out an ad online, in a known criminal hangout, announcing your secret power, and providing contact info?
Is there something I'm missing here?
No, really.
Never attribute to malice that which can be explained by mere idiocy.
Comment removed based on user account deletion
How could he access the pictures taken by users? Those are only stored on the device itself not t-mobiles servers. Unless they were sent to another device but this goes on all the time and I doubt t-mobile would waste storage space keeping every picture sent on their servers. Of course I am at work and behind firewall so I could not RTFA. maybe it went more into detail on this
Why on earth is the Secret Service of the United States using T-Mobile as an ISP/Email provider?
What's next? The FBI, CIA, etc is compromised while using hotmail, Yahoo, or Google mail?
Are Gov IT cutbacks so severe they have to turn to places like this to send messages?
"Beer is proof that God loves us and wants us to be happy - Benjamin Franklin"
It's a known fact that whenever "penetrate" is in a sentence it results in immediate sexual enuendo. But when "hacker" is also involved it just smashes that theory all together.
Power to the nerds!
Ohh, well... that makes it terribly important then!
I'm a T-Mobile customer (not for long, after this).
I already sent them a nastygram over this. What kind of irresponsible piece of s*** company not let their customers know all their information is in the hands of a hacker???
In Soviet Russia, I ruled you
I hope it came with an 18-dollar bill.
are uploaded to a phone company server and a link is sent to the recipient's phone, which then downloads the picture. So the content is by default stored on the company's server.
What, you're somehow expecting corporations and governments to be non-evil?
Comment removed based on user account deletion
He Actually made it to and then through customer services!?!
:)
Thats amazing
Email: ethics@netzero.net
ethics?
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
In his resume, one of the applications he boasts knowledge of is ... Notepad! In addition, he wants a job in IT security and manages to mention nmap way after MS Office and Photoshop in apps he knows how to use.
All in all, a strange and somewhat irrelevant resume for a guy striving to become Network Manager in the IT security field.
My guess is that the Secret Service was using Blackberries, which uses encrypted transmissions between the Blackberry server and the device, and even multiple encryptions, if I remember correctly (one for the message, one for the Wireless). I doubt that they were stupid enough to use unencrpyted service, when regular non-Govt. customers can have encryption (We have it here at our job on our BBs). Note that they say "emails" and not "SMS" or "Text Messages."
Cue in virus spreading under the pretense of Paris' new nude haxx0red pictures in five, four, three, two...
Most impressive that it took them a year to find him, and unsirprisingly they catched him when he tried to make a mint out of his exploiting. Remember kiddies, bragging is not good for you.
---- Take the Space Quiz!
Yeah, and gay means happy too!
If someone says he and his monkey have nothing to hide, they almost certainly do.
Nope. It's a hacker. The term has been in common use since 1984. The fact that a load of geeks desperately want to reclaim it doens't mean the usage is wrong.
I have no idea why any geek would want to reclaim it though. After Jurassic park, any positive connotations are clearly lost.
The chairman of the FCC Michael "I have no idea what the public interest is" Powell is right on the case making sure your privacy is protected.
Bank on it.
The hacker knew about Secret Service subpoenas relating to government computer crime investigations, and even knew the agency was monitoring his own Microsoft ICQ chat account.
/.
wow is it me or does MS own more everyday you read
You know it seems like the reason this guy got caught was because he was sloppy with his own identity online... If he would have been more careful with the names / icq numbers / people he trusted online, it's very unlikely that he would have gotten caught.
:-/
I think he let his greed / ego get in the way when trying to offload this information that he obtained.
This really makes you wonder about the guys you never hear about, the ones that don't get caught.
This is why they were playing this case close to their chest.
I noticed the Microsoft ICQ point, too. Seems like the reporter made a mistake there. I'm also not sure the term "honeypot" is appropriate.
Even though I am not a T-Mobile subcriber, it's distrubing to me that my personal information is protected by the whim of a corporation and not by any standards. I think everyone is in agreement that corporations are driven by cost of security and not the security of it's subscribers. The government should fine T-Mobile for inadequet IT security and a security standards board should be created to set baseline security measures for corporations and other institutions. I'm not sure such a committee exists but it's clear to me that there are no defined rules to protect information. We have rules from the FDA in regards to food, rules to handle securities etc. Why not rules and laws to protect customer and employee information?
http://herbopen24hours.blogspot.com or http://tolietman.blogspot.com
So the guy hacks in to the network, steals personal information, downloads private pictures, sells all this stuff... and then he's able to get away with just one felony, no jail time, and even a work offer for the Secret Service?
If you think the Secret Service won't use his skills in exactly the same way he was offering to the public before he got busted, you are mistaken. That is to say (explicitly), the Feds will use this guy to break into private computer networks and steal information of interest to them. They will keep him at arms length in case he gets caught. This is the way law enforcement (unfortunately) works...
... why in some groups a "hacker" is someone who breaks into computer systems, while in others it's someone who "hacks" code fast and well (but not necessarily pre-plans the code)
And "cracker" is often used for someone who breaks the copy-protection on software products.
------------
The great thing about standards, is that there are so many of them
I am a T-Mobile customer, and frankly I'm a bit worried. I've always been very anal about keeping my SSN etc. secret, and now it could potentially be out there in the open and fair game for anyone to use. I called up T-Mobile, but they denied that their systems had ever been compromised.
Does anyone know what I can do to find out more information about this? If my personal information has been compromised, I need to go through the whole new SSN rigmorale. I'd really appreciate it if anyone could give me some advice on how to find out for certain if this has happened.
Dear diary: Today I stuffed some dolls full of dead rats I put in the blender.
Penetration definitely occurred. And not just to T-Mobile.
Pretty much anyone who uses that services got "Penetrated" pretty well -- and if you weren't doing your work over a good vpn with encryption, well, lets just say that it probably hurt.
The problem with quotes on the internet, is that nobody bothers to check their veracity. -- Abraham Lincoln
Did anyone read the "hackers" resume linked at the SecurityFocus site? It really sucked. What is it with so many people having such shitty resumes? It is no wonder that people cannot get jobs in the IT field with resumes like that.
Oh well that's a relief... had access to social security numbers, but not credit cards... weeeeeee.. I'm put at ease now...
its not:
(cracker == bad)
(hacker == good)
its:
(hacker == (breached security of some network) || (some bearded open source/linux developer))
(cracker == (someone who's broken some kind of encryption) || (someone who modifies software to bypass copy protection mechanisms) || (some white guy))
dumb fuck
Situational ethics are pervasive in our society. Steal 100,000,000 through insurance fraud, you get 5 years. Rob 10,000 at a bank, and get 20.
This is also the same country where we gave a dictator the technology and biological weapons to kill his own people by the tens of thousands, and used that as a reason 15 years later to depose him.
Get used to it.
You don't give companies, like t-mobile, personal information like your SSN and DoB that have no need to know it.
I mean they're a freaking phone company, what do they need your SSN for? Make sure you pay your taxes? Run a credit check?
Technology, the cause of and solution to all of life's problems.
For an article at a technical security forum there seems to be a lot more attention paid to personality, law enforcement and celebrity than the actual issue of security. I gave up on reading bugtraq a few years ago when a series of ego clashes and flame wars drove the message volume up and the s/n ratio down - looks like I haven't missed out on anything if this sort of article passes for news there these days.
[Set Cain on fire and steal his lute.]
Why do I feel another Leonardo di Caprio / Tom Hanks movie coming on?
--- Dan
Why isn't the secret service encrypting their email? The technology to do this has been around almost as long as email itself? Don't trust someone elses system to keep your unencrypted information private.
Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
Comment removed based on user account deletion
A few replies to this posting have expressed surprise that SS agents use commercial wireless accounts, but how else could they send information to and from the field wirelessly? A few more have suggested that the compromised SS data may just be intra-agency chit-chat, but a couple things suggest that may not be so.
First of all, the nature of the documents that were leaked in the IRC chat - one is described as an "internal memo", and the other is probably a treaty with the Russians to share criminal information. No details are given re the content of the memo, but it could have been extremely damaging to a case in progress. And the treaty is probably not sensitive in and of itself, but its presence could tip off Russian computer criminals to watch their backs.
Now, the guy whose account was raided for this info is a recent celebrity for taking out a previous hacker. It would probably be extremely embarassing to the agency for his goof to be exposed like this.
And then there's the fact that this MASSIVE series of criminal acts is being written down to just a single felony... and they're giving the guy a job!
Now I don't want to sound like a conspiracy theorist, but it seems likely to me that this dude got off (and got a job!) so light not for his m4d-l33t h4x0r skills, but because of the potential embarrasment to the service, and the damage the publicity might do to other cases. It seems the lesson here is that it doesn't matter what crime you commit online, or on what scale, as long as you:
The precedent that these two points set is worrying. Crackers are annoying when they deface websites, bring down servers or spread virus-like software - but it's only a few hours annoyance (a week at the most), then the problem passes (for most people). Once crackers get the message that the clowns get stiff fines and the real dangerous people get off light (plus get a lot more out of it if they don't get caught), it would seem to make sense to stop "tagging" or writing viruses and go for the big game. Furthermore, the cops become a very attractive target, which could compromise many more, unrelated cases.
So the message as I read it is: "Don't be a script kiddie, crack the FBI! If you get away with it you get rich, and if you get caught you get a job."
Both the Secret Service and T-Mobile should be publicly shamed for the debacle, and the response, if only it wouldn't risk compromising other cases.
It's hard to soar like an eagle when you're surrounded by turkeys.
Does anyone remember when slashdot had the story about the kid that sold windows source code for $20.00. This article has a snip about that these guys were friends... There is a thread in the slashdot article where another friend tried to defend why he did this... i wonder if this guy was in this stuff too..
The hacker's access to the T-Mobile gave him more than just Secret Service documents. A friend of Jacobson's says that prior to his arrest, Jacobson provided him with digital photos that he claimed celebrities had snapped with their cell phone cameras. "He basically just said there was flaw in the way the cell phone servers were set up," says William Genovese, a 27-year-old hacker facing unrelated charges for allegedly selling a copy of Microsoft's leaked source code for $20.00. Genovese provided SecurityFocus with an address on his website featuring what appears to be grainy candid shots of Demi Moore, Ashton Kutcher, Nicole Richie, and Paris Hilton.
Um...you do realize they're blackmailing him, right?
Honestly, I can't decide if being blackmailed is better or worse than him rotting in jail. We don't let people off the hook for robbing convenience stores "for fun" or "for the challenge", unless they're insane enough that they don't understand it's wrong (in which case, they go to a mental institution, not jail) and people intelligent enough to do the hacking are intelligent enough to understand breaking into something that doesn't belong to you is wrong; anything else is just creative ass-covering by hackers and their lawyers.
In case you hadn't figured it out by now, I'm not a Mitnick fanboy, which I know isn't very popular even today...
Please help metamoderate.
You posting because you think that the press is misusing the word "hacker" but then you turn around and misuse the word "cracker."
-
On the other hand, how can he work as a mole when so much about his identity is already revealed? If the entire world now knows his name, has access to his resume, etc., isn't he at great risk of being identified?
Not really, this stuff all takes place online in forums and IRC so all he has to do is create new identities and work his back into the scene. If he does get exposed, just lather, rinse, repeat. I'm sure the secret service can make sure he has plenty of different IPs to come from to help him mask his identity and location.> Hollywood celebrities.' Demi Moore and Paris Hilton are involved
*sigh* aren't they ALWAYS... ?
- For the complete works of Shakespeare: cat
--> Johanne (urarrested@ARN-34.i_am_from_the_united_states_sec ret_service.gov)
Hello fellow criminals. Let's do crime.
cyn, free software and *nix operating systems enthusiast.
http://groups-beta.google.com/groups?q=ethics%40ne tzero.net&hl=en&lr=&sa=N&tab=wg
.. c'mon , chaining modems??
r oups/browse_thread/thread/4d0bba946d4e451a/94d8fef 4caf3c4e1?q=ethics@netzero.net :/ what a lame ass. And those Secret service agents were looking on the web, one google thru groups revealed his identity in 0.5 second
and BAH, a second link is 'Support for "Chainging" modems on a RAS?'
What purpose other than covering tracks one can
have to need this stuff ?? This post alone should
make someone monitoring usenet (FBI? CIA?) alerted
about this person.
And this one "HOW can i hack websites which are saved by a password???"
http://groups-beta.google.com/group/alt.hackers.g
same email as the one with the real name
Go grab those torrents.
"Ethics" posted a provocative offer on muzzfuzz.com, one of the crime-facilitating online marketplaces being monitored by the Secret Service as part of Operation Firewall.
Makes you wonder how many other crackers have gotten access to similar information, but weren't stupid enough to post that fact online, but went to a competitor (or the local Godfather, or the Chinese embassy) instead.
One man's -1 Flamebait is another man's +5 Funny.
So let me get this straight:
1. Hack into a communications company and steal "secret" service documents and social security numbers.
2. ???
3. Profit!
Comment removed based on user account deletion
Uhh like it seems that the SS wouldnt be stupid enuff to comm over unsecure access points, perhaps these r honeypots, designed to catch ppl like this, errr
If the SS has to hire people that hack their email, than they obviously need to improve their recruitment skills. There are plenty of people out there that have these same abilities as well that are "moral" enough to pass a security clearance. Maybe a trip out to some computer science departments across the nation could bring in some new recruits.
But maybe im taking crazy pills.
So... let's say that I want to patronize his obviously grossly illegal service. How do you consummate a transaction like this? Cash in a Fedex envelope? Sent to whom? A P.O. box?
Who performs first? Are there criminal escrow services?
This page, linked in the posted article, has some explanation about how they traded:
"The 4,000 Shadowcrew members were participants in an underground economy capable of providing a dizzying array of illicit products and services. The most active commodities were "dumps" of credit card account data, fake physical cards to go with the dumps ($50 blank, $70 embossed, in bulk), and expertly forged identification to help pass the plastic at the local consumer electronics store. Credit reports, hacked online bank accounts, and names, birthdates and social security numbers of potential identity theft targets were also for sale in bulk.
Each product had its own specialists, and every vendor had to be reviewed by a trusted site member before they were allowed to sell. Disputes were handled judiciously, "rippers" selling bunk products quickly exposed and banned from the site. In one case a vendor who owed another member money was allowed to continue selling only on the condition that his future illicit earnings would be garnished until his debt was repaid..
Members of the community even traded in tangible items like ATM skimmers, prescription drugs, and cocaine, and services like DDoS for hire and malware customization. One well-reviewed vendor offered a test-taking service that promised to get customers technical certifications within days. He was permitted to vend after earning the reviewer a Microsoft MCP certification under an alias."
And how stupid do you have to be to take out an ad online, in a known criminal hangout, announcing your secret power, and providing contact info?
Um, dude, have you ever hung out on undernet? All sorts of shady shit happens there. I've known friends who knew people from online chatrooms who hijacked business conference call lines and made them available to entire chatrooms as a group conference voicechat line. Warring chatrooms would even appear and try to make the line unusable. I thought it was moronic (they even called from their home and work phones for God's sake!), but I think people aren't used to the internet's topology. The lack of a physical police presence makes people pretty confident and reckless - you're not there, so they can't just arrest you on the spot, which eliminates most of the anxiety in any crime (smoke weed in a public park and your house and compare your reactions). Even worse, because of the nature of the internet, the police don't need a physical presence to monitor any of it, so criminals can't just look over and notice that shady van across the street. The lack of these real-world reminders makes for bad heuristic judgments. You'd think hackers would be the first to notice that their lack of fear is due to this sort of fallacy, but from the article, it's clear that some don't.
Don't get me wrong - I'm not saying that it's easy to catch people committing crimes online. It's extremely difficult. GHB kits thrived online, and I'm sure if you still looked you could find products ostensibly marketed for other reasons that are just clandestine GHB kits on google (that's the only example you get, but you'd all be fucking shocked if you knew just how many drugs are sold online with Visa and paypal). If you take only the most obvious precautions, it's many times harder. Something as simple as using a proxy and encryption from a "borrowed" wireless connection can make criminals almost undetectable. Many of us use one of the three reguarly. How hard is it to combine them?
The police can't monitor everything. Even if they devoted the resources to looking for this sort of thing, how many people know the magic combinations of words and searching techniques that let them
I'm still waiting for my "+1: Skank" mod to be approved.
Anyway, the ones you don't hear about (directly) are businessmen. They could give a fuck less about the secret service or NSA or any other organization unless it was easy to fence the data. Thus most people have no reason to fear them.
You appear to be glamorizing the life of a common thief. I hate to break this to you, but anyone who spends their time hacking computers for money is not only without decency, but also without brains.
These guys do eventually get caught, or worse, end up slaves to some crime syndicate. These people DO HURT others through identity theft, credit-card fraud, banking fraud and other malicious activities.
And I dare say, the ones that don't get caught probably don't get caught because of the fierce terrorizing power of the crime-syndicate that they are a part of (e.g. anyone gets close, they are scared away), rather than because of some super-talent. The super-talented guys can make it in the real world.
The reason that it can be true that 1+1 > 2 is that very peculiar nonzero value of the + operator
Getting the Not Found Error when I try to hit the link now. Next time try posting the entire resume, some people just don't want their server up in smoke ;)
It's not offtopic. It's sad that it's actually true in this case.
So the guy hacks in to the network, steals personal information, downloads private pictures, sells all this stuff... and then he's able to get away with just one felony, no jail time, and even a work offer for the Secret Service?
The government does this all the time in organized crime and drug cases. Look at a guy like Sammy "The Bull" Gravano. He killed god knows how many as a member of the Gambino family not to mention a list of other crimes a mile long but was given a slap on the wrist and a new identity for turning states evidence.
Nothing new here.
Where does the school board find them and why do they keep sending them to ME?
Is it just me or does anyone else think that Secret Service agents should know better than to use their T-mobile accounts to send sensitive documents!!!!
Subject says it all.
I've said it before, and I'll say it again, no matter how much it makes me look like a tin-foil paranoid: You have no privacy on the Internet and assuming that you do is foolish. Yes, you can use things like GnuPG to encrypt your email, but just about anyone can grab the ciphertext off of the mail server or while it is in transit. You can use SSL to submit a webform, but someone can get at the encrypted stream sent to the server. Assuming that you have anything worth knowing that is worth more than the cost of a cryptographic attack, there will be some party out there that will spend the resources to recover it. That's just the way it works.
If you need to communicate something private, the Internet is not the way to do it. Build your own network and use that, and hope that nobody else can get on it. (Operative word there: hope)
The guy crossed the line when he went to sell personal information to identity theives. Looking at famous people's candid photos is pretty harmless (as long as he's not selling them to some tabloid or spreading them around). Reading the SS's email is the ultimate in poetic justice; they should be more aware of just how insecure email is than just about anyone. It's inexcuable for the frelling SS to have been sending sensitive documents around in unencrypted emails.
In the end, it sounds like the guy got caught because of his own hubris. Which, when you think about it, is typical... criminals get busted not because the cops are spectacuarly competant, but because they run their mouths off.
Why is it that the proponents of "one nation under God" are so eager to get rid of "liberty and justice for all"?
Why isn't t-mobile being charged for failing to protect the data?
I think "mr hacker" should be charged for breaking in and getting the data but I equally think the execs at T-Mobile should be responsible for making that information so accessible in the first place.
Why do people just let big corp USA (tm) walk over them and never fight back? Cell phones are already a "dime you to death" scam. Why put up with even more liabilities [like having your identity stolen].
Tom
Oh and fuck humanity!
Someday, I'll have a real sig.
Honeypot Proxy
By August 5th the agents already had a good idea what was going on, when Ethics made a fateful mistake. The hacker asked the Secret Service informant for a proxy server -- a host that would pass through Web connections, making them harder to trace. The informant was happy to oblige. The proxy he provided, of course, was a Secret Service machine specially configured for monitoring, and agents watched as the hacker surfed to "My T-Mobile," and entered a username and password belonging to Peter Cavicchia, a Secret Service cyber crime agent in New York.
Something doesn't quite ring right about this, apart from the obvious entrapment of the proxy. If his penetration of the T-Mobile system was as comprehensive as suggested, they why would the cracker he access the system via the public "My T-Mobile," ? It simply doesnt make sense unless he's simply picked it up as a lone username/password, and been socially engineered into using it.
The 'Hacker' also made little attempt or no serious attempt to cover his tracks, his IRC handle can be readly linked to his name, physical & email addresses and CV here, as disclosed by the artical.
The Mutual Legal Assistance Treaty with the Russian Federation. is apparently publicly available.
My guess is that Myth is really a handle for Peter Cavicchia, the ShadowCrew is and always has been a secret service entrapment operation for script kiddies and wannabes.
Kind of hard to keep a low profile with an @secretservice.gov e-mail account.
/sarcasm
If you want to come off as just another guy on the net then you use common civilian services.
And it wouldn't surprise me if they use free e-mail accounts either. You can either hide in the shadows by running their own domains and whatnot or they can hide in the crowd and use popular e-mail services.
"Are Gov IT cutbacks so severe they have to turn to places like this to send messages?"
Yes because this is obviously the only service they use to send messages
Work Safe Porn
well, i just got off of the phone with tmobile. customer care has no idea that this article even exists. in fact, call them up and ask if they know what slashdot is. go ahead, try. it's funny!
anyways, the only people who might possibly be able to help are customer relations, who don't even have e-mail or a phone number. who would have figured you couldn't call your phone company?
everyone i spoke to doesn't even want to admit it could have happened. when i mentioned slashdot and security focus, they said that i couldn't believe it just because i heard it online. when i asked them if they saw it on cnn, if they would believe it, everyone said yes. my reply was that i consider slashdot more reputable than cnn.
anyways, i'm going to be writing these guys a letter. i'm really unhappy. i've been with tmobile for 3 months and the first time i hear about it is from slashdot. not that i'm suprised. just sort of annoyed that it's true.
"William Genovese...unrelated charges for allegedly selling a copy of Microsoft's leaked source code for $20.00.
...
Musta been one hell of a SE to get that much
A loop, by its nature, continues. If that didn't make sense, start reading this sentence again.
Also, Irving, California should be the more well-known Irvine, California
www.timcoleman.com is a total waste of your time. Never go there.
Thanks! That was very interesting. I've used undernet, but mostly for tech support (usually with pretty good success).
Never attribute to malice that which can be explained by mere idiocy.
Insurance fraud, eh..?
"A witty saying proves nothing." ~Voltaire
"d'Oh!" ~Homer
Lets recap:
This hax0r gains access to a restricted private industry computer system. But instead of just stealing private citizen's info, he steals secret service info. The US Secret Service (USSS) catches him and prosecutes.
Because of the SS deal, his legal costs are minimal...just sign the paper and plead. He lost his job, but got a better one, which legitamizes his favorite hobby. And finally, he gains national (international?) fame. If and when he leaves the USSS job, he shouldnt have a problem finding Fortune 100 clients for his network security consulting bussiness. And dont forget about the book deals!
My point is, in the long run this guy came out on top. Sure he's a felon and cant vote, but who really cares. If your gonna hack, hack the cyber crimes unit. This was at least you get a job... those are the guys they are looking to hire anyway.
There are 10 types of people in the world. Those who understand binary and those who do not.
Thank god we had all those extra laws to stop the evil cracker. God knows what might have happened otherwise...
.. now *that* would be a story ;o)
$ strings FTP.EXE | grep Copyright
@(#) Copyright (c) 1983 The Regents of the University of California.
I don't know why I enjoy crime stories so much but they are "fun" somehow. More than that, I enjoy the only-seen-in-movies way that the cops catch the bad guys. That was an awesome story.
As a T-Mobile customer, I am glad that all of this was actually closed before I became a subscriber... no worries there... I think... I hope...
But there's one thing I'd like to learn more about: Those celebrity photos!!! Where can I download those? Surely they're on a variety of sites by now right?
Ethics Design ... 1997-Present
...
I guess he flunked that one
Slashdot: stuff for news, nerds that matter, matter for news, stuff that nerd
Did anyone find it amusing that under his "techniques" section of his resume he had "Social Engineering"?
Not sure if I'd put that on a resume...
although to some management types it could interpreted as "Excellent Communication Skills"! hehehe...
No kidding. Why the hell do we need MORE pictures of Paris Hilton? It's not like the world hasn't already seen every square millimeter of her body, and it's not like it's the best thing to look at anyway.
There's no need for a govt. wireless network. By the very nature of wireless, such a network wouldn't guarantee any more security than using a private wireless provider. The signals are still travelling through the air.
The govt. agents who use wireless for sensitive communications have govt.-provided encryption on each end. Private keys. Man-in-the-middle attacks won't work.
As an example, I was at a conference in DC where Bill Clinton was speaking back in the 1990's. We had Secret Service all over the place. Each guy had a hip-mounted walkie-talkie which connected to an earpiece for audio and had a microphone in the sleeve of their suits. The walkie-talkies were bulky custom-made devices unlike anything I'd ever seen available on the public market. They also had some kind keypad for configuring the thing, I assume. Sure, you might be able to intercept their radio signal at the event, but good luck trying to decrypt their conversations.
Unfortunately, the SS agent in this case violated secrecy standards by broadcasting secret documents over unsecure com channels and needs to be disciplined.
$5 / month hosted VPS on linux = awesome!
if he would have had a laptop a car and a dc > ac converter he could have easily parked the car in the hotels parking lot and never gotten a room. Then he could have drove to a new location logged in again new ip new area no trace. you could go crazy in a college town with all the wifi hotspots.
From the art.:...At the same time, agents received disturbing news from a prized snitch embedded in the identity theft and credit card fraud underground. Unnamed in court documents, the informant was an administrator and moderator on the Shadowcrew site who'd been secretly cooperating with the government since August 2003 in exchange for leniency. By all accounts he was a key government asset in Operation Firewall. ...
If you can read about it in the news, that may be more compelling if less flowing than reading the book. The full text of Bluejay Books edition including illustrations of this very prescient piece of SF is on line where you will not find any illustrations of Demi Moore or Paris "overexposed" Hilton. Sorry.
SLASHDOT: news for people who can't concentrate on work or have no life at all and got tired of yelling back at the TV.
At the CompUSA in Totowa, NJ, the PC at the customer service desk has some kind of a T-Mobile login and password on a piece of paper taped to the monitor... a foot and a half from the customer's face.
500GB of disk, 5TB of transfer, $5.95/mo
I'm far more flabbergasted that people aren't more concerned (especially here on Slashdot) that 13.6 million identities have potential of being compromised! According to the article, he offered SSNs, DOBs, account passwords, etc. for sale to identity theft rings. Surely there a number of T-Mobile customers right here on Slashdot that this makes a little nervous. I'm really surprised the popular press hasn't picked this up yet. Unless the Secret Service can guarantee no identities were sold, I think this is going to blow up big.
I fully agree. This is probably another PR stunt cooked up by the Sidekick folks. They were probably the ones who sent out this press release just to promote the fact that their product is used by Demi Moore in addition to Paris Hilton. They also want people's imaginations to run wild with the idea that maybe these two were sending illicit pictures of themselves back and forth. "Buy a Sidekick, maybe our untrustworthy network will accidentally send one of their nude photos to your mailbox!"
$5 / month hosted VPS on linux = awesome!
"...and agents watched as the hacker surfed to "My T-Mobile," and entered a username and password belonging to Peter Cavicchia, a Secret Service cyber crime agent in New York. "
I'm sorry, but that's just the funniest goddamn thing I've read in a week!
Privacy and security are two gigantic myths!
https://www.accountkiller.com/removal-requested
Exactly one week after I signed up for T-Mobile service my identity was stolen. The person started to change the address on my credit card (the one I used to sign up for the service) and proceeded to order thousands of dollars in "convenience checks". I was notified fairly quickly of the fraud, but it has created an insane nightmare of red tape to jump through to close all the accounts and watch my credit report. There has to be a better way to do this. For now it's back to a passport savings account and money orders. Oh, and of course I will add an extra layer of tinfoil to my hat.
So he did!
"Flyin' in just a sweet place,
Never been known to fail..."
I agree with the comments above: if he knew his ICQ account was being monitored, why wouldn't he lay low, or at least quit expanding his web of trust?
After reading this story, I thought I would look at my T-mobile account in the UK. I have never been there before, so I tried www.t-mobile.com and got the US site, then found www.t-mobile.co.uk and it gave an error message when I tried to open the page:
Oops! There's a problem
We can't find the file or script you requested. This could be a temporary hitch, or maybe you put in the wrong address. Please check your bookmark links just in case.
Then a popup appeared asking for my login password??????? This is on my mac.
Needless to say, I didn't enter it. Anyone else have a UK T-online account and seen the above error?
//Information does not want to be free; it wants to breed.
And that may be the reason "field" people use t-mobile.
I agree, the most disturbing thing about all of this is the low level of knowledge of the hacker. He was nothing but a script kiddie on his resume and he was caught with obvious mistakes. We can be sure that TMobile and others are still owned by more sophisticated crackers who will not be caught.
The article links to a 2001 resume which never mentions GNU and only once mentions Unix but lots of Windozed based cracker toys and garbage. His efforts, while many, were too narrowly focused.
It does not look like he mastered Windoze cracking or much else by the time he was caught three years later. Besides being dumb enough to try to sell information, he accepted a proxy from a stranger. Someone who knew what they were doing would have a botnet proxy they set up themselves that could never be traced through. What else is windoze cracking good for?
The whole mindset was script kiddie. Own a phone service and collect stuff. What a waste of time.
He got his resume wish in a perverse way. He wanted a job is computer security. Now he's a felon and gets to spend some quality time as a government slave, snitching on his friends till he's all used up. Or he can go to jail and take the usual felon jobs: dishwasher, garbage man and other highly undesirable manual labor in tiny shops that know they can abuse you. Those jobs will be waiting for him when the government is through with him.
Friends don't help friends install M$ junk.
I noticed while at the Starbucks T-Mobile would like to charge either $10/day or $30/month to get Internet access.
They should have made it free. I might be oblidged to buy bad coffee if it were free.
Anyway, if you have a wireless laptop, the T-mobile network is autodetected. If you launch Internet Explorer or Firefox, the T-Mobile page comes up where you pay by credit card and log into their network.
Try an NSLOOKUP for some domain. And it works. The DNS UDP port is open. The only problem is your browser typically likes to run on the TCP port.
No problem LO!.
If you install the SQUID proxy server, it will route your browsers HTTP port 80 traffic along that DNS UDP port and you can gain Internet Access for free.
http://www.squid-cache.org/
You just need to install another publically available squid server to use as your proxy that will convert DNS UDP back to TCP 80.
It might be slow as heck, but I'm not paying for Internet Access.
Now, the main problem with today's story is just the fact some one went into a Starbucks and broadcast a server that looks like the T-mobile page. People mistakenly entered their login info or their credit card.
If T-Mobile Internet Access was free, no personal information could have been stolen so easily. Although, you still have to worry about packet sniffing.
As a T Mobile customer, I read the original article (before reading Slashdot responses) and called T Mobile customer service. The poor woman had no idea about the article or security problem and turned me over to the media relations department answering machine. Did anyone else get a response out of them?
"...and even knew the agency was monitoring his own Microsoft ICQ chat account. "
not his microsoft ICQ chat!!!!
some super 733t MD67 algorithm
--
MD67 is a Message Digest; it's not used to encrypt anything.
Oops, you aren't supposed to know about that. Please remain where you are and we'll dispatch some gentlemen from the ministry of truth to your home.
It did not appear to me that the handset had the power to encrypt the transmissions, and I assumed at that time that the policy was to communicate via radio, unencrypted, and then encrypt the transmission with SSH where it enters the public Internet.
I would suspect that anyone who relied on the SSH client for T-Mobile for privacy, may find their information compromised.
Can anyone confirm or contest this suspicion?
See, this is all quite humorous to us all that have worked INSIDE a large company. Tell me what you want I could have gotten it. No questions asked, and I was only working in the desktop support.
as its weakest link.
(This event could be called "backdoor", couldn't it?)
This is why you go public with exploits for stuff like this doesnt happen. If we keep pissing on the hackers that do the right thing, then this wont stop... it will get worse..
http://www.securityfocus.com/archive/77/216516
Applications: Microsoft Visual Studio, Microsoft Office Suite, Paint Shop Pro,
Corel Suite, Maya 2.5, FrontPage, Dreamweaver, Ultraweaver, Homesite, TopStyle,
Adobe (various), AutoCAD, AutoDesk Inventor, Filemaker Pro, Borland Programming
Suite, Flash, Poser, Internet Space Builder, Retina, Nscan, Nmap, Visual Route,
PGP, SATAN, SANTA, SAINT, L0phtcrack, Crack/John the Ripper/Derivatives, Iris, Notepad,
Ultra Edit, SoftIce, among others.
I better get working on my notepad skills if I need a job.
I remember watching in The Corporation that you could do the same job for a big corporation too. It seems that ethics apparently don't apply to governments or corporations. To be honest, that scares me.
People are uncomfortable about taking compromising photographs to a drug store to be developed, why don't they understand it's no different when information is hosted on a company's server?
This technology is really useful, but it just sets stupid people up to be caught with their pants down (literally or no).
-- Microsoft is the most expensive commodity operating system and office suite vendor in the marketplace.
The thing that's missing from this story is any sort of indication that T-Mobile has made even the smallest attempt to fix the vulnerabilities that allowed this guy to access all of T-Mo's customers' account information (mine included).
T-Mobile has known that they've been compromised for at least SIX MONTHS. My name, Social Secruity number, date of birth are probably all still sitting there OUT IN THE OPEN just waiting for another 21-year-old hacker to come along and ruin my credit rating. Secret Service investigation or no, that's negligent and inexcusable.
I'd like to comment on the security of T-Mobile applications as ex-employee...
While in college (1998-2002) I worked for a contracted company of Voicestream Wireless (previous name of USA T-Mobile) where I did tech and customer support. Since we were not voicestream employees we had to access their system remotely.
They had this done with Terminal Services on a private network and everyone used the same login/pass to gain access to their application server. Once in this server they had a propiertary software system (I think it was called StreamLine) that was used to manage accounts. This system required the use of your own username and password. The funny thing was if you wanted to do something shady you could use the account of a previous employees since they never removed ex-employee accounts.
By looking at T-Mobiles security practices of 3 years I doubt much has changed. I for one would never buy a phone or service from since I worked on the inside.
Could that story be any more bland?
Hire me.
I used to work for T-Mobile. With out going into too much detail, this comes as no surprise to me. This is a collection of smaller companies all of whom hate each other. There is no definitive structure nor are there any true checks and balances to make sure things are being done and done correctly. The phrase "chewing gum and duct tape" is what comes to mind when describing how their network is built. Let's put it this way, rsh and rcp are used extensively to move data around on an open corporate network.
When people use cell phones for messaging, pictures, etc. they have not idea where that crap is stored, and who has access! They seem to assume that it's *private*.
T-Mobile provides the worst service among all big mobile carriers in the U.S. Someone should break into them again. Good job!
Everbody knows that white men are losers who never had sex.
I guess the show 24 on Fox is somewhat accurate, seeing as they use T-Mobile telephones for all of their communication. Maybe this guy was just a big fan and wanted to find out Jack Bauer's home address?
This is just hearsay (and I didn't RTFA), but I've heard that the "job" you get when you get busted hacking is not something you want.
Basically, it's equivalent to stamping license plates, but not "technically" in jail. You live under their thumb, and don't get any pay. It's more like severe house arrest where they force you to work than a job.
Be civil to all; sociable to many; familiar with few; friend to one; enemy to none. --Benjamin Franklin
But then who hasnt seen "candid" pictures Paris Hilton or Demi Moore.
It is better to be the hammer than the anvil.
Poorly formated, no logical grouping, lists every software package he has ever touched (I surpised he didn't list Dell, Gateway, etc.), and completely lacks any kind of focus. I don't know how old this is (looks to be from 2001) but folks this should be an example of 'how not to do an entry level resume'. Also just for the record, if you kids do want to get into security, learn Snort.
Copied below for 'posterity'. Note that he lists "social engineering" as a technique.
Nicholas Jacobsen
1911 NE Thompson
Portland, OR
Massage: (503) 287-4812
Email: ethics@netzero.net
Employment
* Long Term Goal: Network Manager position in the Computer Security Field
* Immediate Goal: Network Administrator in the IT field.
* Computer Security Institute's NetSec '01 New Orleans, LA June 2001
Intern: Technical Services, Computer Setup/Configuration, Attendee Registration, and Customer Service
* 27th Annual Computer Security Conference Chicago, IL November 2000
Intern: Technical Services, Attendee Registration, and Customer Service
* Ethics Design Winston, OR 1997-Present
Consulting in computer system setup, design, security, and software.
* Mustard Seed Educational Services Roseburg, OR 1989-1998
Website design, achievement test scoring, cashiering, curriculum recommendation, computer inventory and sales, program maintenance, exhibit hall setup/tear-down, assisting with publishing 32 page catalog.
Education
* Goal: BS in Computer Science via part-time studies and CISSP Certification
* Professional Education:
* NetSec '01, Attended:
* How to Develop a Winning Security Architecture - David Lynas
* Windows 2000 Security - Joel Scrambray
* Virus Writers and Legislation - Sarah Gordon
* Creating a Comprehensive Intrusion Detection System - Charles Hudson, Jr.
* Phreakers to Frauds: Telecom Crime Investigation and Prevention - Andrea Morin
* Building Secure Software - Gary McGraw
* Preparing for ISO 17799 - Tom Peltier
* Viruses, Hoaxes, Trojans, Worms, Where Will it End? - Bob Cartwright
* Practical Forensics - Peter Garza
* Hacking UNIX - Bob Geiger
* 27th Annual Computer Security Conference, Attended:
* Intrusion Techniques & Countermeasures - Rik Farrow
* Implementing a Computer Incident Response Team - Peter Stephenson
* 10 Other Security Classes
* Formal Education:
* Associates of Science Degree, Umpqua Community College, June 2001
* High School Diploma, Umpqua Community College Adult HS Diploma Program, March 2001
High school curriculum consisted of college preparation in math, reading, writing, humanities, music, social sciences, science, Hebrew, Latin, Greek, the study of the Great Books, and 2nd year college level computer course work in web page design, data communications, visual basic, C++, and networking. Approximately 50% of high school coursework has been at the College Credit (CC) level.
Familiarity with...
* Operating Systems: Windows 3.x, 95, 98, NT, 2000; Novell NOS; Unix variants, OS/2, DOS, VMS OS
* Languages: Perl, Basic, Visual Basic, C/C++, Java, JavaScript, DHTML, HTML, CGI implementation, ActiveX Implementation
* Applications: Microsoft Visual Studio, Microsoft Office Suite, Paint Shop Pro, Corel Suite, Maya 2.5, FrontPage, Dreamweaver, Ultraweaver, Homesite, TopStyle, Adobe (various), AutoCAD, AutoDesk Inventor, Filemaker Pro, Borland Programming Suite, Flash, Poser, Internet Space Builder, Retina, Nscan, Nmap, Visual Route, PGP, SATAN, SANTA, SAINT, L0phtcrack, Crack/John the Ripper/Derivatives, Iris, Notepad, Ultra Edit, SoftIce, among others.
* Techniques: Firewall Configuration, Network/Server Security Analysis, HTTP/FTP/Telnet/IRC Server Configuration, LAN administration, Social Engineering, Intrusion Detection/Analysis, and Cryptography.
The force that blew the Big Bang continues to accelerate.
I doubt that a domestic agency would go to that kind of risk with an amateur like this guy. More likely they'll make him cooperate with any ongoing investigations as a condition of his plea and testify against any new defendants at trial. The better term is "snitch," or more politely "cooperating witness."
In fact, if you RTFA you'd find he hasn't even accepted the plea offer yet, but probably will given that he's facing a ton of jail time.
My guess is that http://sentencing.typepad.com/sentencing_law_and_p olicy/2005/01/scotus_speaks_e.html Booker/FanFan will delay any sentencing in this case (and many other federal criminal cases).
With each other?! JPEG! JPEG!
Several of my colleagues go to the local T-Mobile offices for lunch about once a week. Great food, apparently, and ridiculously cheap (subsidised staff meals, I assume). OK, so the canteen isn't the server room, but still...
Ok, his resume doesn't showcase anything special, and most likely he was able to get into T-mobile because they've neglected updating their Cisco firmware for a decade or something dumb like that, but at least he's actually doing something that sounds impressive. Writing a virus that looks for Outlook email lists and clogs a bunch of LAN's while trying to spread doesn't impress anybody, even your dumb anarchist friends. It just pisses people off. Accessing a communications company's servers and stealing SS emails and digging up dirt on celebrities makes a much better story when you and all your pale-skinned, neon-haired friends are sitting around the campfire holding hands and singing "Du Hast Mich."
WHAT THE FUCK IS THE SECRET SERVICE DOING CONDUCTING BUSINESS OVER T-FUCKING-MOBILE NETWORKS?
thank you.
Seriously the dumbass agent who was mentioned in the article should be canned not lauded.
"Fighting the underpants gnomes since 1998!" "Bruce Schneier knows the state of schroedinger's cat"
I highly doubt that the Secret Service authorized one of their agents to use a SideKick for 'sensitive' data. It is most likely his own personal device and the ID10T used it to transfer 'sensitive' information over an unprotected network.
Also the hacker violated the T-Mobile servers so of course he could access any of their customer data, even the pictures they take with their T-Mobile phones or Sidekicks.
Other SS agents who were tracking the hacker stumbled across their fellow agents documents being published on IRC, etc.
So I would not be surprised if this SS agent is 'disciplined' by his superiors for using the SideKick for goverment data transmission.
Just because a device is convienent and easy to use doesn't mean there is not a good reason to avoid it's usage. BlackBerries are more secure but nothing is perfect. Heck anything public wireless should scare the heck out of most IT managers at the FBI, CIA, NSA, SS, etc.
I do remember something about Blackberry working with the government on a more secure custom system. The politicians and government officials really want a secure wireless email and SMS platform.
Another thing I forgot in my previous reply. Change your e-mail address or make it so potential employers can't get to your live journal and or website within a few clicks. Your website mentions politics which could likely turn down some potential employers, and your live journal talks about being depressed within the first 5 entries. Don't give a potential employer that much information about yourself. Even if you have to put a hotmail address on your resume, it's better than them knowing all there is to know about you, any of it can be held against you.
:)
PS- Good luck with your newborn child. You have a very pretty wife, you are a lucky man.
...to get the media attention. Read this post of his one month prior to his capture: http://lists.netsys.com/pipermail/full-disclosure/ 2004-September/026644.html
Slashdot, you've been scooped.
Bluesnews had this hours before you did.
This guy tripped accross a username and password on what looks like luck...he'll mainly be provideing info on places he hung out in and names.
here is a link to a new article that provides some more detail on this event. http://seattlepi.nwsource.com/business/aptech_stor y.asp?category=1700&slug=Cellular%20Hacker
pardon my ignorance, but WTF
does t-mobile have ssn to begin with?
Its not like they're a bank or something
These kind of stories pop up from time to time and they are all written in the same style.
its very much propaganda for their projects and scaremongering for the community its directed at.
the contradictions in it and name and reference platters combined with some know truths are supposed to create the idea that it is all verified.
Question Authority
and don't believe the hype by default
have a look atd =11347687
http://yro.slashdot.org/comments.pl?sid=135765&ci
Nothing new here. Ever hear of the Nicaraguan drug trafficker Oscar Danilo Blandon Reyes? He was a major operator who had smuggled tons of cocaine into the United States. He was busted in 1992, but instead of receiving a life sentence and a US$ 4 million fine, he was in prison for only 48 months, received no fine, and has been working for the DEA as a confidential informant since 1994. He was described as having "almost unlimited potential to assist the United States." The fact that he was connected to the CIA-sponsored Nicaraguan Contras may have something to do with it...
Qu'on me donne six lignes écrites de la main du plus honnête homme, j'y trouverai de quoi le faire pendre.
Comment removed based on user account deletion