Slashdot Mirror
IP Lawfirm Sues Typosquatting Security Researcher
First time accepted submitter scottbee writes "A major New York intellectual property lawfirm has filed a $1m lawsuit against domain squatter/security researcher Wesley Kenzie (aka Securikai). Kenzie registered domain names to collect misaddressed email, and then holding companies to ransom claiming he had found security vulnerabilities and would consult for five figure engagements. Lockheed Martin handled it with a simple UDRP, but the Gioconda Law Group decided instead to file a lawsuit for 'cybersquatting, trademark infringement and unlawful interception of a law firm's private electronic communications in violation of federal laws,' along with a permanent injunction. Kenzie had also tried the same tactic against Rapid7's HDMoore, but was shamed out of the domain names earlier this year."
The title makes it sound like this guy is a legitimate academic who just wants to cure cancer for the benefit of all WomynKind is being harrassed by whatever evil megacorp is at the top of the 2 minutes of hate list today on Slashdot. Then you figure out that this guy is just another scumbag fraudster and he doesn't sound like such an innocent "researcher" at all.
How about a "bank security researcher" who does vital Nobel prize winning research about the response time of police and ambulances when he shoots up a bank during a robbery? I'm sure everyone on this site wants there to be more "research" to make things interesting.
AntiFA: An abbreviation for Anti First Amendment.
The summary didn't tell me who to root for so I am completely confused.
"A person is smart. People are dumb, panicky dangerous animals and you know it." - K
For those of you, like me, who weren't sure what UDRP meant, it means Uniform Domain-Name Dispute-Resolution Policy and ICANN has a page on it.
Anyway, this indicates a major problem with the domain name system. One which could be solved by a simple, careful and widespread application of OpenPGP. That is, if everyone encrypted emails for recipients, people like this would not be able to read them.
Also, if I were this "security researcher" I would set up legitmate looking websites at the various domains. Perhaps giocondolaw.com could be a website for Grand International Operations. ConDoLaw., a website trying to put together a convention about law for lay peoples, run by GIO, an organisation setup by our hero... Or something. You know, it doesn't even have to be clever, just appear to actually have a real use for the domain name. In the case of the lockheedmartun.com website well, maybe a shell company called Lockhe, which makes an editor (ed) called Martun, Lockhe Ed Martun. Perhaps repackage and sell (for only $5000 a seat, this wonderful software, complete with source code, and what we won't tell you unless you buy it, is that it's just GNU EMACS or perhaps VIM (depending on what you hate the least).
HELP MY ACCOUNT HAS BEEN HACKED BY AN ILLIBERAL ART STUDENT SET TO DESTROY THE INTERWEBZ!
He specifically took action to create a destination for the incorrectly addressed emails.
If he had not done that then the emails would have been rejected by the sender's system and kicked back to the sender.
And the way he did that was to register misspellings of legitimate email domains.
He is responsible because he chose to do that.
No, it'd be like if you had your name legally changed to Mitch Romney, moved in across the street from Mitt Romney, waited until you inevitably got some of his mail and then threatened to release it to the public unless he paid you a consulting fee. What this guy did was wrong, but sadly this is very likely going to result it poorly written court decisions or even laws that end up being used powerful people and organizations to squelch competition. Much like existing cyber squatting laws have been abused.
The extortion part is however illegal. It also proves the domain registration was done with intention to commit an illegal activity.
Hope this guy rots in jail - there are too many "security researchers" in extortion business of a kind or another.
I'm no lawyer, so I'm not talking about legal standards, but the last link in the summary mentions that at least some other similar schemes this guy pulled off, he essentially threatened to post the e-mail contents, which he said were sensitive, on his blog for all to read. Which to me is a pretty clear indication he did intend to extort.
It also points out that this is a scheme that is at least 14 years old, hard to claim that he bought all these domains without realizing they were very close to other domains.
Again I'll point out that I'm not a lawyer, so I'm talking common sense standards here, not legal standards, which usually make no sense to me.
First, he's not a security researcher; calling him that gives him an air of credibility he DOES NOT deserve. He's a sleazy typosquatter giving himself the title of "researcher" to gain a veneer of respectability. I am the risk manager for an organization hit by this guy; his intent is made perfectly clear in the extortion snail-mail he sends his victims: I have your mail, pay me what I ask or I go public. He might wrap it up in a "i'm just an unsolicited security researcher trying to help you", but any attempts to discuss the "vulnerability" with him (the "vulnerability" being that my company didn't register every possible misspelling of our trademarks across all possible TLD's), he will refuse to do so until we signed a consulting contract with him.
Complete scumbag who abuses the system for his own benefit. He started this scam going after smaller companies with no InfoSec staff or Risk Managers, offering to settle for $295; once that worked a couple of times, he moved up to mid-sized companies, provincial government assets, international law firms, banks, and finally the big boys like Lockheed Martin. While he may have succeeded on some of the smaller companies, every bigger organization saw through his scam and either passively ignored his demands or is suing him into oblivion.
He is not welcome in the information security or information risk management communities as long as persists in this behaviour. HDMoore at Attrition.org has has been acting as a clearinghouse for this dude's activities; one read-through and you'll understand that Kenzie has unclean hands.
This guy is a Sith and does not deserve your empathy. When justice is meted out, he will never work in IT again.
This is one in a class of issues where the conclusion that makes perfect sense to an (intelligent and educated) technician is directly opposed to the conclusion that makes perfect sense to an (intelligent and educated) non-technician.
The technician sees a system with clear and unambiguous rules. You get an address, you send to an address, stuff goes to that address. Breaking THOSE rules seems obviously punishable to a technician (like making stuff go to a different address than the one to which it was sent, for example), but when following those rules (to the letter) all is fair. If you send to the wrong address (which nobody forced or tricked you into doing), that is your own fault, all responsibility is on you.
The non-technician sees the deliberate and conscious setting of a trap that will result in the receipt of communication that was not intended for you. Furthermore, if the trap had not been set, those communications would have harmlessly bounced-back and gone to nobody. The setting of the trap created a hole that was not there before, because now that the trap is set the communications will seem to be delivered when in fact they were "intercepted." The technical details of how this trap was set are completely irrelevant. The fact that someone else (an actual criminal) could easily have set the same trap and spied on you without your knowledge indefinitely is also completely irrelevant.
Generally speaking, the non-technical position is the one that wins whenever such issues go to trial.