Slashdot Mirror
How a Chinese Hacker Tried To Blackmail Me
An anonymous reader writes "Slate provides the first-person account of a CEO who received an e-mail with several business documents attached threatening to distribute them to competitors and business partners unless the CEO paid $150,000. 'Experts I consulted told me that the hacking probably came from government monitors who wanted extra cash,' writes the CEO, who successfully ended the extortion with an e-mail from the law firm from the bank of his financial partner, refusing payment and adding that the authorities had been notified. According to the article, IT providers routinely receive phone calls from their service providers if they detect any downtime on the monitors of network traffic installed by the Chinese government, similar to the alerts provided to telecom providers about VoIP fraud on their IP-PBX switches. 'Hundreds of millions of Chinese operate on the Internet without any real sense of privacy, fully aware that a massive eavesdropping apparatus tracks their every communication and move...' writes the CEO. 'With China's world and ours intersecting online, I expect we'll eventually wonder how we could have been so naive to have assumed that privacy was normal- or that breaches of it were news.'"
Honestly, people should really just block all of the chinese IP ranges. I've moved the sshd ports on my servers back to port 22 simply to see how many attempts and from who I get. 80% of the attempts at password cracking are on IP space owned by china. I've reported the IP space to their providers, as well as any email addresses in the SWIP info. Honestly? Screw them. I will block their entire f'ing country, and suggest that everyone else do the same.
...We've had PGP since 1991 and SSL and SSH since 1995 ... easy ways to protect your communications against this have been available, for over 15 years.
I don't think that your definition of "easy" is the same as mine. I've worked with all kinds of operating systems, hardware, software, and so on. I've read TLDP while deciding how I wanted to configure the multitudes of flags for a new kernel on my Slackware box (Pentium MMX FTW!). I'm not afraid of trying new stuff or reading documentation to get it done. I've used PGP(GPG) and I'd say it's far from easy. I understand PKI principles on a superficial level, but to use PGP hasn't ever been intuitive to me.
It's probably safe to say that a great number of people reading this post have had to field telephoned questions from relatives who didn't know how to download and install a Windows application. And you're telling me that PGP is easy? In the few cases I've used it, I've also had to give my colleagues or business partners tutorials on how to read or compose emails with it, because I'm the techie-guy, not them. And because of the high bar, there were very few people in personal or professional circles who could receive such a message.
HTTPS is relatively easy to implement for administrators and it's transparent to most users, requiring little additional knowledge. I really do welcome the day when a PGP-like product is that easy to use.
I only post comments when someone on the internet is wrong.
Try getting a job at the NSA. You'll be security-screened up the wozoo, and then face 10 years in the slammer if you leak. Ask Manning.
There's also a lot of security - no USB drives, no internet (they'll have 2 computers, one of which can only access a LAN where the confidential information is kept), audits, lots of rules, etc. Manning used a CD burner. I'm betting that's going to be a bit harder to do now.