How a Chinese Hacker Tried To Blackmail Me

An anonymous reader writes "Slate provides the first-person account of a CEO who received an e-mail with several business documents attached threatening to distribute them to competitors and business partners unless the CEO paid $150,000. 'Experts I consulted told me that the hacking probably came from government monitors who wanted extra cash,' writes the CEO, who successfully ended the extortion with an e-mail from the law firm from the bank of his financial partner, refusing payment and adding that the authorities had been notified. According to the article, IT providers routinely receive phone calls from their service providers if they detect any downtime on the monitors of network traffic installed by the Chinese government, similar to the alerts provided to telecom providers about VoIP fraud on their IP-PBX switches. 'Hundreds of millions of Chinese operate on the Internet without any real sense of privacy, fully aware that a massive eavesdropping apparatus tracks their every communication and move...' writes the CEO. 'With China's world and ours intersecting online, I expect we'll eventually wonder how we could have been so naive to have assumed that privacy was normal- or that breaches of it were news.'"

Words mean things

[chicago_scott]

That's a criminal, not a hacker.

Re:Words mean things

[ireallyhateslashdot]

You're half right. Criminals can be hackers, and hackers can be criminals. They aren't mutually exclusive.

Re:Words mean things

[SJHillman]

I don't think he was referring to hacker vs cracker in the sense that "hackers are good, crackers are bad". He was saying "No hacking, good or bad, occurred here. Just good, old-fashioned criminal activity that just happens to involve a computer." This is mostly obvious by the fact he never mentioned the term "cracker".

Re:Words mean things

[eksith]

And if you mention The Gay Science, how many people do you know that think of Nietzsche? Terms change with the times. Not always for the better, but they do.

Re:Words mean things

[Pf0tzenpfritz]

He's completely right. As a gov monitor the guy did not have to hack into anything. Everything was already there. Technically, he did not even have to use equipment in a different way as he was expected to - and blackmail hardly qualifies as "social engineering".

No hack found here. Just a cheap and nasty case of corruption - but what else would you expect from a professional denouncer?

Re:Words mean things

[JWSmythe]

I'm "a nobody" who banged Jodi Foster and Ellen Degeneres in a menage a trois. Scoop this slashdot?

Who hasn't? I even submitted pictures. All I got was just got an email asking me for more.

Re:Words mean things

[satuon]

Do you mean that it's OK for the Chinese to do it, or do you mean that it's not OK for Americans to do it?

Re: Words mean things

Wait a minute, I thought crackers were white people, not black...

Re: Words mean things

[gnasher719]

You would say "car salesman", since "criminal" doesn't add any information.

Re:Titles

a government censor and the Chinese government should realize corruption is an inevitable result of censorship.

The inevitable result of government itself is corruption.

Arguing over minor facets is pretty pointless in the long run.

Re:Titles

[jhoegl]

Actually... you should refine that to The inevitable result of financial incentive and/or monetary status is itself corruption.
What are we; but slaves to finances?

just like home!

Hundreds of millions of Chinese operate on the Internet without any real sense of privacy, fully aware that a massive eavesdropping apparatus tracks their every communication and move..

... just like Google! And Facebook! And half the Android apps!

Indeed, you follow the money, you find the crime.

[h00manist]

Go to a financial power center, find the center of crime. Well dressed, groomed, prepared, by an army specialists in PR, marketing, design, security, privacy, and secrecy. But it is laying around there, somewhere. Most surely, the evidence and main coverup is in the security, legal, and accounting divisions. Enron was never alone.

Why not use encryption?

[inglorion_on_the_net]

I don't understand the summary, but riddle me this: Is there any good reason not to use end-to-end encryption?

We've had PGP since 1991 and SSL and SSH since 1995. Some of these were developed in response to plaintext sniffing attacks. That means that the fact that communication in the clear is a security risk and the fact that there are people listening to your communications in order to obtain sensitive information haven't been news, and easy ways to protect your communications against this have been available, for over 15 years.

Re:Why not use encryption?

[Kozz]

...We've had PGP since 1991 and SSL and SSH since 1995 ... easy ways to protect your communications against this have been available, for over 15 years.

I don't think that your definition of "easy" is the same as mine. I've worked with all kinds of operating systems, hardware, software, and so on. I've read TLDP while deciding how I wanted to configure the multitudes of flags for a new kernel on my Slackware box (Pentium MMX FTW!). I'm not afraid of trying new stuff or reading documentation to get it done. I've used PGP(GPG) and I'd say it's far from easy. I understand PKI principles on a superficial level, but to use PGP hasn't ever been intuitive to me.

It's probably safe to say that a great number of people reading this post have had to field telephoned questions from relatives who didn't know how to download and install a Windows application. And you're telling me that PGP is easy? In the few cases I've used it, I've also had to give my colleagues or business partners tutorials on how to read or compose emails with it, because I'm the techie-guy, not them. And because of the high bar, there were very few people in personal or professional circles who could receive such a message.

HTTPS is relatively easy to implement for administrators and it's transparent to most users, requiring little additional knowledge. I really do welcome the day when a PGP-like product is that easy to use.

Re:Why not use encryption?

[EmperorArthur]

Yes,

If part of your business is in china, and the government demands the ability to intercept its communications.

Like the summary said, this was likely an official monitor looking to make some quick cash on the side. These are the people who legally have access to your most sensitive corporate secrets because the government says so.

Re:Why not use encryption?

[jamesh]

I don't understand the summary, but riddle me this: Is there any good reason not to use end-to-end encryption?

Encryption? Do you have something to hide there, comrade?

That's the reason why.

Re:Why not use encryption?

The reason it's not ubiquitous is US federal laws on the encryption of export. That's what's blocked its proper use with PGP, and with proper 3DES 25 years ago for UNIX passwords, and what prevents the use of reasonably robust encryption built into network cards themselves. The restrictions on export have also been used as a bludgeon to threaten companies that provide *domestic* end-to-end encryption in their products.

There have been attempts to get federal approval for such technologies, but *all* such approvied technologies involve someone in the government retaining access to either the private keys, or the signatures to sign new keys for a man-in-the-middle device to do a man-in-the-middle attack without telling the victims. Think I'm kidding? Take a good look at the Clipper Chip, which was only discarded when it was discovered that their "verified secure" technology violated at least 3 patents and could be used to make genuinely private keys despite their best efforts to have a "Law Enforcement Agency Field" to verify that Uncle Sam, or Bubba the KKK sherriff who thinks warrants are for wusses, would always have the private keys available.

They dropped it like hotcakes as soon as someone found out you could use real keys and fake out the LEAF.

Re:Why not use encryption?

[karbonforms]

You appear to still not know, despite your googling. That would be 1919. You know, like, AFTER, world war one? I'm no historian, but no google required! lol

block china

[fazey]

Honestly, people should really just block all of the chinese IP ranges. I've moved the sshd ports on my servers back to port 22 simply to see how many attempts and from who I get. 80% of the attempts at password cracking are on IP space owned by china. I've reported the IP space to their providers, as well as any email addresses in the SWIP info. Honestly? Screw them. I will block their entire f'ing country, and suggest that everyone else do the same.

Re:block china

[Qzukk]

knew how to "block all of the Chinese IP ranges"

Okean.com has the goods.

Re:Titles

[RazorSharp]

The inevitable result of government itself is corruption.

The inevitable result of humans living socially is corruption. Therefore, people should cease to be social animals because somewhere along the line someone will screw someone else over.

The inevitable result of money is corruption. Therefore, we should abolish all monetary systems and the systems of distribution that depend on them.

The inevitable result of monogamy is corruption. Therefore, we should embrace Brave New World sexual practices and everyone should sleep with everyone so no one will be jealous.

Do you see your fallacy now?

Re:China is our friend!

[RazorSharp]

Meh, it wouldn't have been that big of a deal. Thirty years ago they were making similar jokes about Japan.

does he think the US doesnt monitor stuff too?

[decora]

ever heard of Fusion Centers, the TSA, the NSA , etc etc etc?

granted we dont have widespread extortion and bribery - often because those programs are supposed to be secret.

what about the innocents?

[decora]

China is full of people who want to reach out to the other countries and talk with us... how can it be good to break them off?

WTF??

[rudy_wayne]

This alleged extortion plot happened in 2007

Re:WTF??

[Arancaytar]

Yeah, but someone at Slashdot messed up and clicked the approve button too soon. The story was scheduled to run in 2017.

Re:It's blackmail by a government censor&spy a

[wisty]

Try getting a job at the NSA. You'll be security-screened up the wozoo, and then face 10 years in the slammer if you leak. Ask Manning.

There's also a lot of security - no USB drives, no internet (they'll have 2 computers, one of which can only access a LAN where the confidential information is kept), audits, lots of rules, etc. Manning used a CD burner. I'm betting that's going to be a bit harder to do now.

Re:It's blackmail by a government censor&spy a

[JWSmythe]

I suspect the buzzing on your phone isn't coming from your phone. It's coming from the implant in your head. Have you checked for signs of alien abduction? I suspect that you may fit nicely in another demographic.

Monitoring devices

[weegiekev]

Please take this article with a pinch of salt. I was working in Shanghai in 2008 and spent a few years out there. We had a server room, leased lines, an ICP license. Yes, the internet there was filtered and monitored, but that was all done at the ISP level or beyond. I've never heard of any situation where the government installed a monitoring device attached to a server. I really doubt that's what happened, and it sounds like the person quoted in the article doesn't work in IT. Most likely they had a managed leased line and the telecoms provider was being proactive about the service. That's not uncommon.

I heard a lot of speculation and fears from colleagues who came over. I had our HR manager tell me how she knew her blackberry was getting monitored because she could hear it getting tapped. Seriously, your mobile doesn't get routed through an analogue exchange with a tape recorder attached. There's a lot of misunderstanding and mistruths that get spread around. That's not to say censorship doesn't happen. A number of people I know had blog posts removed because of sensitive keywords - that actually seemed to be regarded as pretty normal, and they weren't worried about being dragged away for a 'cup of tea' with the authorities. The reality is generally a lot more normal that you'd imagine though.

In terms of what happened to the CEO's mail account, I think it's much more likely that their machine was compromised with malware. Malware is rife in China, mostly as there's still a huge amount of software piracy. I've seen plenty of download sites in China with files riddled with trojans. Given that their personal email was also broken into, it does sound like their machine was compromised rather than line monitoring. The device attached to the server? I don't buy it...

Re:What sort of story is this?

[Arancaytar]

Uh... the part where someone tried to extort six figures for stolen business information?
In what universe is that not a story?

Re:Have You Ever Heard of Encryption?

[Kittenman]

What else did he know? What else was there to know? Who was doing this? Why? What did other people already know? Was there anything about me they didn’t know, or couldn’t misconstrue to their advantage?

Have you ever heard of encryption?

It should be standard on every e-mail app, just like it's standard on every router. I would love to encrypt all of my e-mail, but my friends are either too lazy, or too technically illiterate, to install and use it. If it was part of setting up your e-mail, well, the world would be a better place. Tell ya what, though: If I were doing business in a place China, (or Russia, or Cuba, etc.), I would insist upon it. But, who knows what servers your e-mail gets bounced around on as it is?

Totally agree. Yonks ago it was said that an email is about as private as a postcard. Sending private or business-sensitive information over the email is just foolish.

And don't start the 'yes but encryption can be hacked' chain. Replace "Uncle Bill" with [company name] and "Plums" with [financial amount] and the sentence "Uncle Bill wants the plums by Friday for the pie he's making" is meaningless to anyone without the key. Cryptography's been around since before Caesar.