Slashdot Mirror
How the Secret Service Busted ShadowCrew
plover writes "In the story Hacker Hunters, BusinessWeek Online documents how the Secret Service turned a member of the ShadowCrew and was able to arrest dozens of the members of the phishing ring.
From the article: 'Law enforcement officials are often loath to reveal details of their operations, but the Secret Service and Justice Dept. wanted to publicize a still-rare victory. So they agreed to reveal the inner dynamics of their cat-and-mouse chase to BusinessWeek. The case provides a window into the arcane culture of cybercriminals and the methods of their pursuers. ' "
I'm all for catching these guys, but I wonder about publicizing the details at this time. Is this supposed to make us feel better about the Patriot Act -- "look here! See how we can bust the bad guys with the 'right' tools!" -- or are we just supposed to be happy that something was done about this gang of thieves? I don't expect everything to be about freedom and democracy, but it is too easy anymore to question why authorities give us this information, rather than look at the information for information sake...if that makes any sense.
Law enforcement needs to stop worrying about (and identifying as such) the average script kiddie and focus on the large mob-like operations. I'm guessing they'll get much more bang for their buck that way. I can't see how 150 million dollars is not enough to take down at least a couple of the big rings given that they operate on Jolt and Hot Pockets (or whatever passes for that in Romania).
Scary stuff. Please use fewer junk characters. Please use fewer junk characters. Please use fewer junk characters. Please use fewer junk characters. Please use fewer junk characters. Please use fewer junk characters. Please use fewer junk characters. Please use fewer junk characters.
"Hacker culture" or "bottom-sucking cracker thieves culture"?
We have enough media confusing "hacker" and "cracker" already.
The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
It used to be the Secret Service wasted their time going after people publishing electronic magazines like Craig Neidorf (Phrack), people making a board game with "Hacker" as the name like Steve Jackson Games, or people looking to just break into computers for fun and understanding.
Now they're going after actual criminals that the above people warned us about. I've got to say that's a real improvement. Of course it took actual electronic criminals to make them realize who the real enemy is.
AccountKiller
I received an unusual spam message advertising warez, cardz, etc. and took the time to trace the message back to the shadowcrew website. The forums on this site were amazing. Basically it was a hub for people to advertise very highly illegal services, or sell lists of credit cards, passwords, etc... a hub for Identitity theives, and fraudsters.
I reported this site to the FBI, and received the following response from them (back in October of last year).
"Thank you for your submission to the FBI Internet
Tip Line. Inasmuch as the FBI has recently
received numerous reports concerning the
"www.shadowcrew.com" Web site, there is no need to
forward any such additional emails to us. Our
Cyber Division is aware of this Web site, and is
addressing the matter."
It was only a matter of time until these idiots were caught. You can't be this open about such illegal activity and not expect a response from the feds.
Last time I looked at a catalog (a while ago) you could mix-n-match the modes of operation, as evidenced by the selector: safe (one white bullet), semi (one red bullet), two-round burst (two red bullets), three-round burst (three red bullets), and full-auto (seven red bullets). You could order one with any trigger group you want--like safe, semi, two-round, and full; or safe, semi, and three-round burst only. (But if you call up and ask for 'full auto only and no safe, please' they'd probably hang up on you. :-) )
Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.
You see, the thing about action-based MMORPGs is that people want to play them, and if people want to play, they will pay to play! So if i make a game with puzzles and intergalactic bounty hunters, people will buy it and I could make millions. I found out that if I was a game designer, I'd probably be employed at a game company, not a grocery store, so China and India wouldn't make money off of outsourcing. Also, because of that my car, without ABS I might add, would handle like some new kind of competetive, multiplayer Tetris game that only netcafe strategies from Korea could defeat. But I get ahead of myself. True A.I. is easy. Ask me, and I'll say, "Hey! Yah, true A.I. is easy! Let's make one!" Then you'll say, "Cool! That's neat! Let's research bees while our A.I. makes us spaceships." So why can't i get a job at DARPA or Google? Because there is no way for me to show my skills. It's not like rap music, where you can rap and people hear you. Also, and I know I'm dragging on so please indulge me, I think that if you combined 3rd person action with Transformers I'd be the world ranked Warcraft III player. Roaming Dragon was my idea, just like DNA and P2P, but you don't see me getting upset that someone stole my ideas and made millions. I think it is important for these things to exist and that is why I'm not suing anyone. Plus, world peace is important if we are all to get along and stop playing unimaginitive MMORPGs like World of Warcraft. I think that if someone combined Crystal Space with Fire Polar Bears and Contra (the hard way) they could make millions.
"But theres things mightier than a sword, and there are things mightier than pens. Guns and rap." - CrazyJim1
Mr. Stoll broke into the CIA computers, the pentigon and other vaious sites
I call bullshit. I read that book and Cliff Stoll did not crack any computers himself.
What he did do was:
a) figure out that a cracker was using computers on his network to crack into government computers;
b) start keeping logs on the cracker, by hooking up printers to the serial data lines;
c) start trying to get someone (anyone!) in the US government to do something (anything!) about this
d) at one point, he got nervous while watching the cracker getting into a sensitive government computer, and he took his keys and shorted out some connections on a serial data line, to make noise; he made enough noise that the cracker decided to log out and try again later.
all fully documented in his book.
So, if I'm wrong and you are right, please give me the page numbers of the book where Cliff Stoll claims to have cracked any computers at all.
That book was often refered to as "The Hackers Handbook".
I call bullshit again. I have never heard anyone call The Cuckoo's Egg "The Hackers Handbook".
I'm not sure what you're talking about here. The punishment for computer crime is significantly harsher than that of its non-technical counterpart.
You could walk into a bank and rob it at gun point, all the while threatening to kill people, and there's a good chance you'd only be jail for about 7 years.
On the other hand, rob the same bank, of the same amount of money, without a gun, and without threatening anyone, but do it with a computer, and you could be looking at 20 years!
In Canada, a simple DOS attack will get you 10 years in prison.
Also, under the Youth Offenders Act, youngsters who commit computer crimes are always punished to the maximum extent (3 years). In comparison, some children convicted of murder have been let go in one year.
Computer crimes carry a harsh penalty.
Despite this, cybercrime is still attractive? Precisely because it's easy, and non-confrontal. I don't think it has as much to do with the risk/reward ratio as you may think... because those who are actually considering committing these crimes are very aware of not only how easy it is to get caught, but how strict the penalities are.
It's not like the good 'ol days when you could hack a Gibson across state lines. Now days if you do something big enough, people will notice, and unless you have a huge crime syndicate protecting you, you're going to get caught.
Having said that... I think I'm going to go walk into a bank with an axe. To me, the risk/reward ratio on that one seems really good! Way better than this computer crime crap. Why waste time learning all those damn c0dez when I can just walk down the street in a crazed fit!
Let me be the devils advocate here for a moment.
...
Postulate the existence of a cryptographically secure, anonymous peered infrastructure overlay for the internet. Not much of a strech because lots of folks happen to be working on just this sort of technology (I2P, Tor, and many others).
Then postulate the existence of an online currency based on secure cryptographic algorithms. Kind of like a digital bearer bond, if you will. This is a bit more questionable, since most research into digital cash has been directed at ways to make transactions *less* anonymous than actual hard cash transactions. On the other hand, if the aforementioned anonymous peered network exists, you just need a non trivial set of community rated key escrow and transaction settling agents to mediate transactions and currency exchange. It is hard to see how this sort of transaction would work for actual physical goods, but for digital goods (a portion of the market economy that will only increase in size) or anonymous services one can see how anonymous transactions could fairly easily take place. Designing a cryptographically secure anonymous currency is an interesting problem, however.
So, lets assume that you have both an anonymous, secure network, and a variety of well respected anonymous digital currencies. This assumption does not really seem too far fetched to me, although it may be 10 years or so before early versions of secure and anonymous digital currency become sufficiently established.
In any case, the implication here is that some individual (lets call him potential felon X) could complete a completely anonymous transaction with some supplier (potential felon Y) for digital goods and/or services utilizing a secure digital currency issued by an online bank (bank Z). None of the parties in this transaction can know who any of the other parties are.
This raises an interesting point. In this sort of environment, how do you enforce legal standards on the *process* without compromising both the buyer or the seller *independently*? Normal law enforcement proceedure is to compromise one of (X,Y,Z) and use that entity to sweep in the other parties to the transaction, but the problem becomes exponentially more difficult if none of the parties to the transaction connect.
It strikes me that this is an interesting conundrum we will have to deal with as a society in the relatively near term - if you cant track the money, and you cant connect the agents, how do you enforce societal standards of behavior except by catching folks as individuals during or after they commit whatever infraction is in question? This is true for a wide range of transactions (e.g. free speech, terrorist plots, tax evasion, collusion, fraud, identify theft, assassination, political conspiracy, insider trading, music sharing, IP infringement, copyright infringement, etc) some of which we support as a society and some of which we condemn.
The tech is coming, it seems to me that someone ought to be thinking about the implications
"They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety."
I was thinking along the same lines when I read this. It appears that higher-up feds have been generally interested in stopping computer crimes which have been committed against large companies, as opposed to crimes committed against individual citizens, and that always bothered me.
A hacker that does little more then break into a multi-national corporation's computer for the sake of curiosity and adventure is somehow public enemy #1. On the other hand, an organized group of thieves who steal the money and identities of thousands of innocent people and cause them incredible amounts of difficulty rebuilding their credit is something "we'd like to handle, but we really don't have the resources".
I can't say for sure, but I suspect operations like the one mentioned in the article are more likely motivated by pressure from credit card companies losing money on fraud and identify theft protection "insurance", not the pleas of hundreds of thousands of individual citizens who are actually victims of those crimes.
It amuses me when they talk about "damage" in dollar amounts of a worm or virus. Let's say virus A hits millions of home users destroying their individual work, financial records, and costs them time and money to get their computer running right again, while Virus B hits a few thousand machines at a select few large corporations. The dollar amount of "damage" virus A is calculated to be very small, and may only consider an increase in an ISPs or computer manufacturer's queues for telephone tech support. Virus B's damage is calculated to be some unrealistic number in the billions based not only in the real costs of repairing the damaged machines, but on subjective estimates in "loss of productivity" which always make it sound much worse then it really is.
While virus A does far more damage in the aggregate, Virus B is given a higher priority due to companies claiming outrageously over inflated "damages" based on vague and misleading estimates. Or, to put it more cynically, tracking down the perpetrators of Virus B is more important to law enforcement because it hurt big business, while Virus A really isn't a big deal because it only hurt regular people.
I realize this line of thought treads dangerously close to the "tin-foil hat wearing big business controls the government" camp. But consider this: How many individuals have been investigated, arrested and convicted for gaining unauthorized access to a corporation's computer, obtaing private or confidential information without the willing consent of that corporation? I don't know the exact number, but I'm sure there's been more then a few.
On the other hand, how many companies out there have been fined, or their corporate officers jailed for producing software which covertly installs on millions of private individual's machines without explicit permission from the user? Software like spyware which operates 'behind the scenes', is nearly impossible to remove, causes computer performance to suffer, and sends private or confidential information back to the company. None that I know of, despite the fact that many of these companies operate in the United States with offices and mailing addresses.
My guess this is because for the most part what these companies are doing is not illegal. Our laws are written in such a way where what an individual does to a single company is a criminal offense while the same action by a company against millions of innocent people is alright. In my opinion, burying a sentence littered with legalese, but which says something to the effect of "User also agrees that in using this software, certain third party software may be installed on the user's computer which may send information to various third parties" deep within the text of a EULA does not mean the end user is really making an informed decision in allowing the spyware to be installed when they click 'yes'.
So far, there have been no laws passed which require companies that produce spyware to accurately inform
The Internet is generally stupid