Slashdot Mirror
IP Lawfirm Sues Typosquatting Security Researcher
First time accepted submitter scottbee writes "A major New York intellectual property lawfirm has filed a $1m lawsuit against domain squatter/security researcher Wesley Kenzie (aka Securikai). Kenzie registered domain names to collect misaddressed email, and then holding companies to ransom claiming he had found security vulnerabilities and would consult for five figure engagements. Lockheed Martin handled it with a simple UDRP, but the Gioconda Law Group decided instead to file a lawsuit for 'cybersquatting, trademark infringement and unlawful interception of a law firm's private electronic communications in violation of federal laws,' along with a permanent injunction. Kenzie had also tried the same tactic against Rapid7's HDMoore, but was shamed out of the domain names earlier this year."
Well this Kenzie guy seems to exhibit some pretty scummy behavior. However that bad behavior does not equate to "unlawful interception of a law firm's private electronic communications in violation of federal laws" (at least as I understand the law). He received emails addressed to his legally acquired domain. I don't know if intent plays into the law on this or not - obviously he did intend to get these emails, so maybe that does make him culpable. I am obviously not a lawyer. But as an average citizen, I can say that bad behavior like his should not be rewarded. So hopefully he doesn't make any more money on schemes like this. Just because the way things are setup allows people to be an asshole doesn't mean that they should act like an asshole.
The title makes it sound like this guy is a legitimate academic who just wants to cure cancer for the benefit of all WomynKind is being harrassed by whatever evil megacorp is at the top of the 2 minutes of hate list today on Slashdot. Then you figure out that this guy is just another scumbag fraudster and he doesn't sound like such an innocent "researcher" at all.
How about a "bank security researcher" who does vital Nobel prize winning research about the response time of police and ambulances when he shoots up a bank during a robbery? I'm sure everyone on this site wants there to be more "research" to make things interesting.
AntiFA: An abbreviation for Anti First Amendment.
The summary didn't tell me who to root for so I am completely confused.
"A person is smart. People are dumb, panicky dangerous animals and you know it." - K
He own the domain. People send the mail to him. So I hope that they trow that part out. The receiver can not be responsible, the sender should be.
This does not mean that I agree with what he does. He did a lot things wrong, but unlawful interception isn't one of them.
If they will allow it, whenever you get a mail by mistake, YOU will be responsible. For now the stoopid signatures that legal adds to your external mail mean nothing. For now!
Don't fight for your country, if your country does not fight for you.
For those of you, like me, who weren't sure what UDRP meant, it means Uniform Domain-Name Dispute-Resolution Policy and ICANN has a page on it.
Anyway, this indicates a major problem with the domain name system. One which could be solved by a simple, careful and widespread application of OpenPGP. That is, if everyone encrypted emails for recipients, people like this would not be able to read them.
Also, if I were this "security researcher" I would set up legitmate looking websites at the various domains. Perhaps giocondolaw.com could be a website for Grand International Operations. ConDoLaw., a website trying to put together a convention about law for lay peoples, run by GIO, an organisation setup by our hero... Or something. You know, it doesn't even have to be clever, just appear to actually have a real use for the domain name. In the case of the lockheedmartun.com website well, maybe a shell company called Lockhe, which makes an editor (ed) called Martun, Lockhe Ed Martun. Perhaps repackage and sell (for only $5000 a seat, this wonderful software, complete with source code, and what we won't tell you unless you buy it, is that it's just GNU EMACS or perhaps VIM (depending on what you hate the least).
HELP MY ACCOUNT HAS BEEN HACKED BY AN ILLIBERAL ART STUDENT SET TO DESTROY THE INTERWEBZ!
Kenzie clearly does not understand how e-mail works. What he is doing is clearly an attempt to extort money for owners of legitimate domains. I don't know if he is doing anything that will pass muster in court of law but he is obviously stupid, a fraud, and prick.
Still though he does even though he does sorta point out a weakness in mail even if his solutions are off base. The correct way to handle this is as follows:
1. Sign all mail, and really try to convince recipients to validate signatures. This will give you integrity and irrefutably when sending; at least if you tell all your recipients, if its not signed to assume its a fraud.
2. Use SFP this will allow recipients to know mail really did come from your domain even if they can't check signatures. It will also help guard against innocent miss configured sending clients and servers, on similar but legitimate domains. It will also keep your domain off RBLs if someone tries false flag spamming to get your domain listed.
3. Encrypt anything you send if any of it is remotely confidential. Not only will this offer protection from interception, it will also cover you in the case you send to a black hole domain like Kenzie likes to set up by mistake; he won't have the ability to decrypt.
If we did these things routinely the over all security picture of Internet E-mail would be enhanced to the point that would be "good enough" to thwart most serious threats. Kenzie is dipshit but he is correct about the weakness of e-mail. Perhaps this security researcher should do a little more research and a little less "consulting" until he learns a thing or two. He is just best ignored.
Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
What this guy did is certainly not ethical but shouldn't be illegal. You shouldn't have a right to every domain similar to one that you have bought just because you are a big corporation. If a company wants to own all variations of a domain, fucking pay for all of them.
He specifically took action to create a destination for the incorrectly addressed emails.
If he had not done that then the emails would have been rejected by the sender's system and kicked back to the sender.
And the way he did that was to register misspellings of legitimate email domains.
He is responsible because he chose to do that.
The new TLDs could potentially make this much worse, for example, if someone has applied for .cmo and/org .con which are two easy typos of .com, it wouldn't take much to set up a wildcard redirect to the correct .com site, but also log all the stuff coming through.
Or even iframe it with google ads or something.
Who are the most sue-happy people on earth? IP Lawyers. If you so much as sneeze in their direction you'll get sued.
First, he's not a security researcher; calling him that gives him an air of credibility he DOES NOT deserve. He's a sleazy typosquatter giving himself the title of "researcher" to gain a veneer of respectability. I am the risk manager for an organization hit by this guy; his intent is made perfectly clear in the extortion snail-mail he sends his victims: I have your mail, pay me what I ask or I go public. He might wrap it up in a "i'm just an unsolicited security researcher trying to help you", but any attempts to discuss the "vulnerability" with him (the "vulnerability" being that my company didn't register every possible misspelling of our trademarks across all possible TLD's), he will refuse to do so until we signed a consulting contract with him.
Complete scumbag who abuses the system for his own benefit. He started this scam going after smaller companies with no InfoSec staff or Risk Managers, offering to settle for $295; once that worked a couple of times, he moved up to mid-sized companies, provincial government assets, international law firms, banks, and finally the big boys like Lockheed Martin. While he may have succeeded on some of the smaller companies, every bigger organization saw through his scam and either passively ignored his demands or is suing him into oblivion.
He is not welcome in the information security or information risk management communities as long as persists in this behaviour. HDMoore at Attrition.org has has been acting as a clearinghouse for this dude's activities; one read-through and you'll understand that Kenzie has unclean hands.
This guy is a Sith and does not deserve your empathy. When justice is meted out, he will never work in IT again.
And half the electronics brands in Japan from the 1960's should be sued for trying to sound like Western brands?
True story for those who don't know it: Ricoh is a homonym for Leica in Japanese.
There are hundreds of others..
------ The best brain training is now totally free : )
I agree if he bought the domains legally and mail was sent to those he didn't unlawful interception anything since it was sent to a domain he owned.
He bought the domains with the primary aim of intercepting mail that wasn't his... Same as if I changed the number on my house and setup a mail box that looks like my neighbors.
:)
I'm sure this angle can be argued in the court. Whether it holds I don't know. I kind of hope it does, there's a reason why judges are human, the world made of ones and zeros. Regardless of who much we all wish we were was Neo
Good read from UDRP on Lockheed Martin case, format was easy to read and I understood the claims, etc. w/o having to read for hours and click through a bunch of sites. Hmmm, the courts were able to read "his intent" when he registered the names... ;)
This reminded of a related, but opposite case, individual has name first but corp. wants it: Mr. Nissan's battle from years ago. I clicked on his site today to see how he was faring, and was surprised to find that what the Nissan Motor Corp. lawyers started in 1999 is still going and they are still "on the case"! The read at Mr. Nissan's website was quite educational, naturally at www.nissan.com *Good grief* up and down through the courts, even up to Supreme Court after it started heading towards Free Speech, etc. and then back down... wow!
After looking at Nissan.com though, I'd say neither party should get to have the domain. Nissan Motors because they're being douches, and Nissan Computers for having the worst designers ever.
For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
Uh, can someone explain to me how a firm with all of 4 attorneys counts as "A major New York intellectual property lawfirm"?
I'm aware of a few major IP-only law firms, and they are several hundred attorneys apiece. Good or not, I've never heard of these guys before, and likely will never hear of them again.
I took a closer look at the actual complaint in the case itself and the UDRP decision in the Lockheed case. Here is why I think Kenzie's conduct IS going to be found illegal under U.S. laws here: 1. Intentional Cybersquatting: Cybersquatting is illegal under US federal law and is punishable by a fine up to $100,000.00. To prove Kenzie is guilty of cybersquatting, the law firm only needs to prove that Kenzie adopted the confusingly similar domain name intentionally and in bad faith, that is, without a bona fide or non-commercial reason. In the prior UDRP proceeding, which is binding on Kenzie, Kenzie's identical conduct against Lockheed Martin was found to be bad faith cybersquatting. By extension, Kenzie is likely to be found guilty here and is going to have a tough time convincing a judge and jury that the Lockheed panel was wrong as well. 2. Intentional interception of private electronic communications: Seems to me that Kenzie intended to do exactly this, and is just trying to justify it in the name of conducting unauthorized and spurious "research." In the Lockheed UDRP case, he as much as admitted that he intentionally intercepted e-mails intended for Lockheed, but that his only defense was that it was done in the name of bona fide research to benefit Lockheed, even though they didn't know about it until he was confronted with the UDRP. The panel rejected this defense, finding that Kenzie simply wasn't authorized to conduct this "research," but was merely trying to line his own pockets by getting a consulting fee out of it. Seems to me that Kenzie is going to lose this one, too.
Why do we continue to call these sorts of clowns "researchers"?
He's a scumbag alright, but what he does isn't illegal. Sure the mail might have been intended for someone else, but it was sent to him. If the courts support the bullshit "if you are not the intended recipient..." boilerplates of e-mails, I have a couple things I'd like to write down there. The keyword being intended.
That said, I am a security researcher and consultant. Here's a free bit of security advise: The proper answer to making sure your communication can not be read by someone who may intercept it through whatever means, including typos in the address, is to use encryption. Period.
IMHO, if you're a law firm or someone else with a need for confidentiality, you must have encryption available and remind your clients of it. Since they are the paying party, if they don't want to use encryption then so be it, but if you don't offer the option, you are acting negligent.
Assorted stuff I do sometimes: Lemuria.org