Tech Lessons From the Bad Guys

Chris Lindquist writes "Organized crime, porn peddlers, gambling sites — they all use technology to make a killing. CIO.com has posted several stories that spell out how the seedy side uses IT for profit. From the online techniques of penny stock scammers to innovation lessons from a pair of 'accidental pornographers,' to what you can do to fend off cybercriminals, find out what they do right when they're doing wrong."

Wanted: Linux systems administrator.

For those of you wondering about the pr0n stuff.

I was looking for a job and had posted my resume on line (monster.com I think) and got a call from a guy looking for an admin with web server skills. The third or fourth question was if I minded the fact that they would be pr0n servers.

I had to turn them down, and no I don't remember the company name.

So, if you have the right skill and are in a big city market, who knows. You might just get a call.

Here's how it's done

[Opportunist]

Do you know that Western Union doesn't require you to legitimate yourself when withdrawing money if it's not more than (IIRC) 6k bucks? So all you gotta do is find some gullible moron, who'll "work" for your "international financing company" by offering you his account for a transfer. You have your target transfer the money to this moron's account and have him transfer the money via WU, and inform you about the transfer code. He can keep, say, 20% of the stolen money, and hey, who'd turn that offer down, about 1k bucks for 2 hours work? Almost too good to be real!

Then you (or if you're a larger organisation, one of your goons) goes to WU, hands in the transfer code and heads out with the money.

Of course the "financial agent" gets caught. But that's no loss, you know, there's an idiot born every minute, you'll find others.

Re:Here's how it's done

Bullshit. I cashed my first WU check at Kroger a couple of months ago. It took two trips back home before I got my $300. Here is what I had to provide to get my $300.

1. Photo ID
2. Address of Sender
3. Full name of Sender
4. Exact amount of transfer I was looking to receive
5. Phone number of Sender
6. My phone number
7. My full name
8. My address

I went to two different places that dealt in WU and both had the same forms requiring all of this bullshit.

Re:Accidental pornographers?

[twistedsymphony]

It was very interesting, while I knew that the porn industry was fairly in-tune with technology the article left me with the impression that they drive tech advances more then we realize... The one bit on open source software really caught my eye:

Another red light best practice is to look for vendors that use open source. Since sites are open 24/7 (late-night hours are extremely profitable on the red light Web), "if we ever run into critical issues we need them solved now, not two hours from now," says Bodog's Ayre, who has learned that if he wants his people to be able to fix something, they need to have access to the source code. "We absolutely could not get a couple of our vendors to address an issue that was crippling us," says Ayre. "Under peak loads, the entire site became nonresponsive. We had no choice but to decompile the systems in question and fix the problem ourselves. This was probably one of the biggest drivers pushing us to adopt open-source solutions for our most critical systems."

Probably one of the best arguments for a corporate adoption of open source software I've ever heard. I know, at least at my company, we're in constant struggle with our software vendors to fix bugs that are critical to us but maybe not critical to their other clients. This is particularly frustrating when we have the knowledge necessary to fix the problem ourselves... just no access to the source.

An extra thought

[Moraelin]

Exactly. Reading the summary left me scratching my head too. You've nailed the moral judgment excellently already, so I won't repeat that.

But I'll add another thought there: regardless of the moral judgment, exactly what is to learn from porn or gambling sites anyway?

No, seriously. Spammers, scammers, DDOS extortionists, etc, actually face some technical challenges. They need zero day exploits to maintain their army of zombie machines. They need to circumvent or disable protections. (See the many viruses or trojans that disable the major antiviruses and firewalls.) They need to dodge the law, at _least_ in that they need to transfer the ill gotten money abroad without leaving _too_ many obvious traces. Etc.

Those are real technical challenges. Antiviruses for example are getting so defensive against being disabled, that it's sometimes hard to fully uninstall them even as the legit owner of the machine.

You can learn something from that, and (in response to other posts) there _are_ legitimate uses for that knowledge too. E.g., whatever techniques they use to automate looking for buffer overflows, should be mandatory testing techniques for new software.

But porn and gambling sites? Gimme a break. I dare say most of the porn sites are actually just a plain old normal web site. There's nothing particularly high-tech about them, really. Just some thumbnails linking to a video or larger picture. In really "high tech" cases, they might open a popup via javascript for the page with the embedded movie. But that's about it.

Exactly what's to learn there.

Sure, a number of sites use porn as a bait to get one virused. But even then it helps to realize that that's not primarily a porn site, it's primarily a script-kiddie site and the porn is just the bait there. Just because the porn is the bait, doesn't make porn itself some high-tech black-hat thing.

To use a metaphor, there have been cases where people have been lured in a RL (non-internet, back-of-the-van kind) scam with such promises as a cheap second-hand laptop or whatever other cheap no-questions-asked good. Yet that doesn't make laptops themselves some evil bad-guy kind of scam. It's just the bait, the scam is a completely different half of that incident.

Re:"The bad guys"???

[BlueTrin]

That's exactly what I thought when I read the headline ...

Take a look at this article which tells us how the US porn webmasters have to hide from the public ...

Re:Accidental pornographers?

[russotto]

You don't need to re-compile. You can find the bug by reverse-engineering the binary, then make a binary patch without recompiling.

Re:Accidental pornographers?

[anticypher]

Do you want a serious answer? Well, I'm going to write one anyways.

There are basically two kinds of guys in the internet porn industry. The serious pornographers who can convince all the scarily slutty women to get dirty for a small amount of cash, and the webhosting guys who realise they need some higher margin content to pay the bills.

The pornographers don't particularly have much technical skills, at least not for setting up websites and payment processing schemes. They may have tremendous photoshop skills, because the women they shoot tend to have a heinous amount of scars, tattoos and piercings. The porn producers are always looking for ways to set up web sites to make money, but they tend to not have much money to invest in development.

The website guys are the ones who have built up a business with a few hundred or thousand web servers, with all kinds of low margin mom-and-pop static websites. They can code in Ruby or PHP, but can't really live off margins of a few euros per month per site or a few thousand euros for web design job. After a year or two, they come to the realisation they're not really earning the big money like founding a new google. That is the point when they put their morals aside and decide they could really make some good money from building porn websites. What they are missing is social skills to convince women to fuck for money in front of a camera.

Put the two sides together, and you have a fairly good model of the online porn industry today. The "intentional pornographers" make the content, the "accidental pornographers" make and run the sites. The buzzword is "Ecosystem"

the AC

fend off cybercriminals ..

[rs232]

SPAM: "the sender's name on this particular e-mail sent a shudder down his spine .."

PHISING: "The e-mail claimed in convincing detail that there was a problem .."

FAKE WEB SITES: [and] "urged customers to click on a link--to a phony website .."

DDOS ATTACKS: "Dougherty's website lay in a coma from a devastating distributed denial-of-service (DDoS) attack that"

Well the root cause of the problem is the above so to fend off cybercriminals you would have to ...

01. Create an email infrastructure that provides end-to-end authentication and encryption.

02. Create a web identity infrastructure that provides end-to-end authentication and encryption.

03. Make a desktop computer that can't be compromised to be used in a DDoS attack, merely by clicking on an URL or opening an email attachment.

04. Design the upstream network infrastructure to mitigate against DDoS attacks.

Why are we still talking about all this in the middle of 2007. What are all those innovators and security experts doing to earn their salaries.

'These are not attacking any kind of vulnerability in the computer .. They are attacking the vulnerability of people's brains, Sophos

Re:fend off cybercriminals ..

[mcvos]

Why are we still talking about all this in the middle of 2007. What are all those innovators and security experts doing to earn their salaries.

Working for spammers, phishers and porn sites, obviously. That's apparently where the real money is.