How a Chinese Hacker Tried To Blackmail Me

An anonymous reader writes "Slate provides the first-person account of a CEO who received an e-mail with several business documents attached threatening to distribute them to competitors and business partners unless the CEO paid $150,000. 'Experts I consulted told me that the hacking probably came from government monitors who wanted extra cash,' writes the CEO, who successfully ended the extortion with an e-mail from the law firm from the bank of his financial partner, refusing payment and adding that the authorities had been notified. According to the article, IT providers routinely receive phone calls from their service providers if they detect any downtime on the monitors of network traffic installed by the Chinese government, similar to the alerts provided to telecom providers about VoIP fraud on their IP-PBX switches. 'Hundreds of millions of Chinese operate on the Internet without any real sense of privacy, fully aware that a massive eavesdropping apparatus tracks their every communication and move...' writes the CEO. 'With China's world and ours intersecting online, I expect we'll eventually wonder how we could have been so naive to have assumed that privacy was normal- or that breaches of it were news.'"

Words mean things

[chicago_scott]

That's a criminal, not a hacker.

Re:Words mean things

[ireallyhateslashdot]

You're half right. Criminals can be hackers, and hackers can be criminals. They aren't mutually exclusive.

Re:Words mean things

[Pf0tzenpfritz]

He's completely right. As a gov monitor the guy did not have to hack into anything. Everything was already there. Technically, he did not even have to use equipment in a different way as he was expected to - and blackmail hardly qualifies as "social engineering".

No hack found here. Just a cheap and nasty case of corruption - but what else would you expect from a professional denouncer?

Why not use encryption?

[inglorion_on_the_net]

I don't understand the summary, but riddle me this: Is there any good reason not to use end-to-end encryption?

We've had PGP since 1991 and SSL and SSH since 1995. Some of these were developed in response to plaintext sniffing attacks. That means that the fact that communication in the clear is a security risk and the fact that there are people listening to your communications in order to obtain sensitive information haven't been news, and easy ways to protect your communications against this have been available, for over 15 years.

Re:Why not use encryption?

[Kozz]

...We've had PGP since 1991 and SSL and SSH since 1995 ... easy ways to protect your communications against this have been available, for over 15 years.

I don't think that your definition of "easy" is the same as mine. I've worked with all kinds of operating systems, hardware, software, and so on. I've read TLDP while deciding how I wanted to configure the multitudes of flags for a new kernel on my Slackware box (Pentium MMX FTW!). I'm not afraid of trying new stuff or reading documentation to get it done. I've used PGP(GPG) and I'd say it's far from easy. I understand PKI principles on a superficial level, but to use PGP hasn't ever been intuitive to me.

It's probably safe to say that a great number of people reading this post have had to field telephoned questions from relatives who didn't know how to download and install a Windows application. And you're telling me that PGP is easy? In the few cases I've used it, I've also had to give my colleagues or business partners tutorials on how to read or compose emails with it, because I'm the techie-guy, not them. And because of the high bar, there were very few people in personal or professional circles who could receive such a message.

HTTPS is relatively easy to implement for administrators and it's transparent to most users, requiring little additional knowledge. I really do welcome the day when a PGP-like product is that easy to use.

block china

[fazey]

Honestly, people should really just block all of the chinese IP ranges. I've moved the sshd ports on my servers back to port 22 simply to see how many attempts and from who I get. 80% of the attempts at password cracking are on IP space owned by china. I've reported the IP space to their providers, as well as any email addresses in the SWIP info. Honestly? Screw them. I will block their entire f'ing country, and suggest that everyone else do the same.

Re:block china

[Qzukk]

knew how to "block all of the Chinese IP ranges"

Okean.com has the goods.

what about the innocents?

[decora]

China is full of people who want to reach out to the other countries and talk with us... how can it be good to break them off?

WTF??

[rudy_wayne]

This alleged extortion plot happened in 2007

Re:WTF??

[Arancaytar]

Yeah, but someone at Slashdot messed up and clicked the approve button too soon. The story was scheduled to run in 2017.

Re:It's blackmail by a government censor&spy a

[wisty]

Try getting a job at the NSA. You'll be security-screened up the wozoo, and then face 10 years in the slammer if you leak. Ask Manning.

There's also a lot of security - no USB drives, no internet (they'll have 2 computers, one of which can only access a LAN where the confidential information is kept), audits, lots of rules, etc. Manning used a CD burner. I'm betting that's going to be a bit harder to do now.