Slashdot Mirror
Password Hackers Do Big Business With Ex-Lovers
Hugh Pickens writes "The Washington Post reports that disgruntled lovers and spouses considering divorce are flocking to services like YourHackerz.com that boast they have little trouble hacking into Web-based e-mail systems like AOL, Yahoo, Gmail, Facebook and Hotmail. The services advertise openly, and there doesn't appear to be much anyone can do about it because while federal law prohibits hacking into e-mail, without further illegal activity, it's only a misdemeanor, says Orin Kerr, a law professor at George Washington University. 'The feds usually don't have the resources to investigate and prosecute misdemeanors,' says Kerr. 'And part of the reason is that normally it's hard to know when an account has been compromised, because e-mail snooping doesn't leave a trace.' It's not clear where YourHackerz.com is located, but experts suspect that most password hacking businesses are based overseas."
Actually, web-based, free emails could be remarkably secure, if people weren't such morons about passwords.
Don't thank God, thank a doctor!
You mean people actually still think that web-based, free emails are secure?
But of course they are, they have the big pictures of padlocks on the front page... and you even get that certificate popup thing, that means it's SUPER secure!
"normally it's hard to know when an account has been compromised, because e-mail snooping doesn't leave a trace."
Well that's incorrect. I'd be fairly confident that most web-based email services have a way of telling when you logged into your account last (otherwise how would they know when to deactivate your account after X months of inactivity?) - they simply choose not to allow Joe Average to access this information.
And part of the reason is that normally it's hard to know when an account has been compromised, because e-mail snooping doesn't leave a trace
Simply do like most client systems and put in big red bold: "someone tried to connect to your account 32 times from w.x.y.z ...", and keep something like a 30 days log of connection history browsable somewhere. I'm sure modern techniques can also be used to highlight strange connection patterns and/or unusual connection location. Although it's far from perfect it at least gives some basic tools to be aware and deal with this situation. And if the hackers know their address is not only logged in an obscure web log but also available to the user (with a nice helpful tips page about what to do and who to contact when you're a victim) it would probably intimidate part of them.
You mean people actually still think that web-based, free emails are secure?
As opposed to a client-based email, where you can simply get it all through the filesystem? Physical access is game-over. So if you have 30min with your ex's machine, that's pretty much game over, if residing in clients.
Password Hackers Are Slippery To Collar
By Tom Jackman
Washington Post Staff Writer
Monday, September 7, 2009
When Elaine Cioni found out that her married boyfriend had other girlfriends, she became obsessed, federal prosecutors say. So she turned to YourHackerz.com.
And for only $100, YourHackerz.com provided Cioni, then living in Northern Virginia, with the password to her boyfriend's AOL e-mail account, court records show. For another $100, she got her boyfriend's wife's e-mail password. And then the passwords of at least one other girlfriend and the boyfriend's two children. None had any clue what Cioni was doing, they would later testify.
Cioni, however, went further and began making harassing phone calls to her boyfriend and his family, using a "spoofing" service to disguise her voice as a man's. This attracted the attention of federal authorities, who prosecuted Cioni, 53, in Alexandria last year for unauthorized access to computers, among other crimes. She was convicted and is serving a 15-month sentence.
But such services as YourHackerz.com are still active and plentiful, with clever names like "piratecrackers.com" and "hackmail.net." They boast of having little trouble hacking into such Web-based e-mail systems as AOL, Yahoo, Gmail, Facebook and Hotmail, and they advertise openly.
And, experts said, there doesn't appear to be much anyone can do about it.
"This is an important point that people haven't grasped," said Peter Eckersley, a staff technologist for the Electronic Frontier Foundation in San Francisco. "We've been using e-mail for years, and it's been insecure all that time. . . . If you have any hacker who is competent and spends the time and targets you, he's going to get you."
Federal law prohibits hacking into e-mail, but without further illegal activity, it's only a misdemeanor, noted Orin Kerr, a law professor at George Washington University and a former trial attorney in the Justice Department's computer crime section.
"The feds usually don't have the resources to investigate and prosecute misdemeanors," Kerr said. "And part of the reason is that normally it's hard to know when an account has been compromised, because e-mail snooping doesn't leave a trace."
Every state has laws roughly similar to the federal computer laws, Kerr said, and rate the offenses as misdemeanors.
Not long after Gov. Sarah Palin of Alaska was named the Republican nominee for vice president last year, someone hacked into her personal Yahoo e-mail accounts. And as the election neared, someone at George Mason University hacked into the e-mail of the school's provost and sent a schoolwide e-mail saying the election date had been changed.
"Web Based email password hacking or cracking is one of our all time favourite and unique hobby," write the folks at YourHackerz.com. It's not clear where YourHackerz.com is located, but experts suspect that most of the businesses are based overseas. "We will provide you with the original Passwords. No questions asked whatsoever. Payment only after you are CONVINCED. 100% guarantee of Cracking. Total privacy of your information. No legal hassles."
At SlickHackers.com, they boast, "We are professionals interested in helping serious people for whom an email password would mean saving their marriage, knowing the truth, preventing a fraud, protecting their family/job/interests only when conventional ways and normal procedures do not work."
All the services advertise that they will e-mail a screenshot of the target's in-box or even send an e-mail from the target's e-mail as proof that they've cracked the password. The customer then sends payment. One service, whose fee is only 20 British pounds (about $33), then responds with the script from a scene from a Shakespeare play, with the stolen password hidden in the copy.
E-mail inquiries to several of these services did not elicit any responses.
The FBI cannot police the Internet, a spokesman said. "The FBI is aware of these illegal services," spok
Once you lose trust to that extent, you're done.
Yeah, well I'd say it's a big reason why I get phone calls. I hung my shingle out a long time ago about being a computer geek. People usually come to me for one of three reasons: First, their computer's suddenly running slow. "But I've tried everything." Malware is the main reason. Second is "It won't turn on anymore." Coffee spill on laptop, or HDD failure without error message. And the third most common reason: "I want to ruin someone's life! You're a hacker, right?"
Of course, these are my friends, not strangers. I usually oblige them by asking if they knew what common passwords their ex used, any websites they frequented, the full spelling of their name, date of birth, and social security number. And the strange part is: They usually know all of these things. You know what I do then? Nothing. Not a damn thing. I sit down and have a long talk with them about personal security and how just like we don't go out alone at night (I'm a girl. Most of my friends are girls -- I know most of you are dudes and don't think about it much), we also need to take precautions online! This is usually said while saying what a bastard the guy was. And I give them a pat on the head, some candy I keep around for this purpose, and send them on their way.
I'm a white hat (eh, most of the time). But a lot of people just like me know this about others because they've hung their shingle out too and announced they're a geek. And not all of them are going to have an ethical hangup about sucking up all your personal data, hacking your accounts, and leaving "I have a small penis" written to all your friends. Because really... The average person if you do go through all the effort to get them access just sits there feeling all powerful for a minute and then does something incredibly juvenile that'll make you wish you'd done your laundry instead of wasted two hours at the keyboard.
My advice to you people: Love your partner. But do not give them the root password!
P.S. Only once ever have I done a spot of sleuthing that I felt was worth it -- when I discovered a friend-of-a-friend was dating a terrorist. No, I don't mean the fluffy-bunny kind that the media portrays either (everything is terrorism these days). No, I mean the guy came overseas, setup shop over here, and was doing serious criminal enterprise and had cases open with a half-dozen agencies. A few days later, a police officer informed her that if she valued her life, she should cease contact with him immediately. Fun times. Everything else though? Boring as shit.
#fuckbeta #iamslashdot #dicemustdie
I've been storing my Thunderbird folders inside a truecrypt container for some time now. It's peace of mind.
I am pretty sure they just utilise the 'recover your password' function, as the spouses/relations probably know what the answers are. I seriously doubt they'd even consider bruteforcing/dictionary attacking Hotmail or the like.... As they have a limited amount of attempts to use. It'd be interesting to see how they'd hack an account with a ridiculously long password like: '>AFD,!21)£"($£$3La57~}{' and with a bogus answer to a secret question. I think not 'YourHackerz'. Also, has the website suffered the wrath of the 'Slashdot effect'?
divorce dollars?
Sure, you may uncover evidence of unfaithfulness in your divorce case, but your winnings in divorce case will be offset when you go to jail for computer trespass and the victim [your ex] sues the invader [you] for mega-bucks.
Oh, and if you tell your lawyer where you got the goods, it will trigger HIS ethical obligations. Yes, lawyers have ethical obligations, even those with no ethics.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
What is your girlfriend's name? Let's see the wife try to guess that one.
Have gnu, will travel.
Quite a ingenius scam really. The following link - http://www.complaintsboard.com/complaints/yourhackerzcom-c141692.html [complaintsboard.com] - suggests that they take your 'hard earned money' and then blackmail you. Saying that they will tell the person you are trying to 'hack' if you don't send them $1000. It made me lol.
There are two ways an advisory can obtain one's password:
The first attack can be countered by using Gmail with things set up to always use https for connections (near the bottom of the "settings" page).
The second attack can be countered by using a secure password that is easy to remember but hard to guess. For example, "MaraDNS.org" would not be a very good password for this account, however "otif10md" ("One time I fell 10 meters down") would be a good password. Or, in my case, I use a secure hashing algorithm where a common secret is concatenated with the name of the website I visit to get a secure password, akin to using the Md5 sum of "This is secret;slashdot.org" to get a password.
MaraDNS is an open-source DNS server.
The headline implies that the hackers are doing business with THEIR ex-lovers, which didn't make much sense, considering that the average nun has more sex than the average hacker...
until she installs a keylogger. Physical access is game over.
... some high level expert engineers seriously start thinking about ways we *can* detect e-mail snooping has taken place ...
Well, if you have 2 minutes with your ex's machine, chances are either they're already logged into their webmail, or their password is saved.
Reviewing just the first hour of video games.
If you're curious how these things work, here's a write-up of a typical example of one of these services.
Some folks really need to get a life, if they feel they have to snoop on their significant other like this.
You mean people actually still think that web-based, free emails are secure?
As opposed to a client-based email, where you can simply get it all through the filesystem? Physical access is game-over. So if you have 30min with your ex's machine, that's pretty much game over, if residing in clients.
I had no problem getting my ex-girlfriend's email ... after all, it was residing on my server. As it happened, the only interest I had in it was getting rid of it to reclaim some disk space (the girl didn't understand that you're supposed to delete things now and then.)
The higher the technology, the sharper that two-edged sword.
Jesus Christ you had your GF's mail on your server? I run my own mail server too, never felt comfortable doing that. I run mail for a couple friends, never been tempted to look and wouldn't look if I was tempted, but I would never give myself that kind of access to someone I was screwing, and besides, what happens when you break up? I guess she lost her e-mail address?
I guess you don't have to worry about things like that when you're ScrewMaster though.
<xml><I><am><so><damn>Web 2.0</damn></so></am></I></xml>
Jesus Christ you had your GF's mail on your server? I run my own mail server too, never felt comfortable doing that. I run mail for a couple friends, never been tempted to look and wouldn't look if I was tempted, but I would never give myself that kind of access to someone I was screwing, and besides, what happens when you break up? I guess she lost her e-mail address?
I guess you don't have to worry about things like that when you're ScrewMaster though.
Well, I'm just point-blank not interested in anything that doesn't concern me. Really, I hate nosy people and I take great pains not be be one of them. So yes, I do take my privacy seriously, but that means I need to take others' seriously as well. Everything on my server is encrypted anyway, so I couldn't read it even if I wanted to. I didn't and I don't.
And no, she didn't lose her email address until she told me she didn't need it anymore. Just because she was a psychotic witch was no reason for me to be a prick. Tempting as it was, I generally feel better if I don't give in to the Dark Side. Anyway, she got a Yahoo account or something like that. As for me, I just wanted the disk space back.
The higher the technology, the sharper that two-edged sword.
Ok, so I can see how Joe/Jane Sixpack, getting their divorce, might only be a misdemeanor breaking into an email account without profiting from it (maybe just to do something mean to his/her ex, or dig up incriminating emails), but, with regards to these commercial services offering to do the hacking for a fee, isn't there some sort of statute which makes *any crime* which is done *for profit* a felony? I don't care if your hacking an email account is just a misdemeanor, but if you are doing it for hire, that should elevate the crime, seems like, the same way *any* crime committed with a weapon automatically adds felony charges?
And of course, this is missing the obvious point that a) most people have never heard of truecrypt, and b) most girlfriends/boyfriends/spouses won't know that such a thing as a keylogger exists. It's true that either situation *could* change (the girlfriend gets a new boyfriend, or just a friend, who teaches her about keyloggers, for example).
Still, I suspect setting up a TC volume for your email is better than nothing. I've done this on my laptop - mostly just to protect my files in case of theft/loss; I think it's probably pretty good for that particular scenario - I realize that TC won't protect me from a determined or sophisticated person/organization, but should protect against the random thief. But, even against someone like a girlfriend/wife, it provides at least some barrier for them to have to penetrate.
Revenge? Pettiness? Still in love? Take your pick of anything including 200 other odd reasons. Love is the most dangerous emotion you have to deal with, and it's the same emotion that makes people safe and secure. While making them do stupid, and insane things that will get them locked up for a very long, long time.
Om, nomnomnom...
All that and if you're at work on a Windows domain network, your friendly eye-tee people have access to your mounted filesystems and everything contained therein . . .
One CPU cycle wasted on digital restrictions management is ONE TOO MANY.
Love and obsession are easily confused perhaps because they're often paired, but whatever drives someone to spy on his/her ex is most certainly not love.
One CPU cycle wasted on digital restrictions management is ONE TOO MANY.
Not really. In her eyes, she was the new-coming upshot replacing his old wife. The other girlfriends were therefore her direct competition.
She might also have, rather suddenly, realized how meaningless all his love-assurances were. That can really hurt.
Free Manning, jail Obama.
Solution: date technically inept people.
They usually smell better anyway.
Ride the skies
Well, if you have 2 minutes with your ex's machine, chances are either they're already logged into their webmail, or their password is saved.
Frankly, if you have an ex (or an SO for that matter), chances are she/he already gave you that password anyway because you had to fix her/his broken machine more than once. Or you are her/his email provider and already have access to it without password. So that whole conversation is kind of silly to begin with (for tech people anyway).
May contain traces of nut.
Made from the freshest electrons.
YourHackerz.com 94.194.139.145 = [ 94-194-139-145.zone8.bethere.co.uk ] (Asked whois.ripe.net:43 about 94.194.139.145) inetnum: 94.194.136.0 - 94.194.143.255 netname: AVATAR-GB descr: London lwchi Residential Dynamic country: GB admin-c: JPM202-RIPE tech-c: JPM202-RIPE status: ASSIGNED PA mnt-by: MNT-AVATAR mnt-lower: MNT-AVATAR mnt-routes: MNT-AVATAR source: RIPE Filtered person: Jamie Patrick Mcgee address: 260 Bath Road address: Slough address: Berkshire address: SL1 4DX address: United Kingdom phone: 44 (0) 1753 565000
my 2 cents
when someone died and I needed to contact their relatives. I never heard back after the (british based) company accepted the 'case'. I assume that this means that the whole thing is some kind of scam - they want to know eg friends / lovers names and promise to send a screen shot before you have to pay. Why on earth would they need this info to hack a password? But they *would* need it to photoshop a 'screen shot'. I emailed again to ask if they were still trying or had no luck etc and never got a reply at all, and came to the conclusion that although they couldn't refuse such a legitimate-sounding request (they ask for the reason) without looking suspicious, they wouldn't dare to try to scam someone in such circumstances - and based in the same country - in case I followed up with further action (reporting them to eg trading standards).
Oh, and I didn't manage to find anything saying that this was illegal in britain either, although I assumed that it probably was. I still don't know for sure.
Not true. Obsession and love go hand in hand, even if one person is still the primary driver for it. There's a term for it, but the name escapes me at the moment. Ah well...it may or maynot come to me, take a wonder through a psychology book it's in there I'm just too lazy.
Om, nomnomnom...