Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Password Hackers Do Big Business With Ex-Lovers

ScuttleMonkey posted more than 5 years ago | from the time-to-get-sneakier dept.

197

Hugh Pickens writes "The Washington Post reports that disgruntled lovers and spouses considering divorce are flocking to services like YourHackerz.com that boast they have little trouble hacking into Web-based e-mail systems like AOL, Yahoo, Gmail, Facebook and Hotmail. The services advertise openly, and there doesn't appear to be much anyone can do about it because while federal law prohibits hacking into e-mail, without further illegal activity, it's only a misdemeanor, says Orin Kerr, a law professor at George Washington University. 'The feds usually don't have the resources to investigate and prosecute misdemeanors,' says Kerr. 'And part of the reason is that normally it's hard to know when an account has been compromised, because e-mail snooping doesn't leave a trace.' It's not clear where YourHackerz.com is located, but experts suspect that most password hacking businesses are based overseas."

cancel ×

197 comments

Sorry! There are no comments related to the filter you selected.

So wait... (0, Redundant)

uxbn_kuribo (1146975) | more than 5 years ago | (#29341583)

You mean people actually still think that web-based, free emails are secure?

RTFS (4, Insightful)

SanityInAnarchy (655584) | more than 5 years ago | (#29341593)

Actually, web-based, free emails could be remarkably secure, if people weren't such morons about passwords.

Re:RTFS (4, Funny)

Mooga (789849) | more than 5 years ago | (#29341755)

I just post my Username and Password on Bugmenot so I don't need to worry about ever forgetting it.

Re:RTFS (0)

Anonymous Coward | more than 5 years ago | (#29342079)

I still think putting all your personal information in a file and uploading it as xxxhardcorexxx.torrent is the better option.

Re:RTFS (0)

Anonymous Coward | more than 5 years ago | (#29343087)

And how long can the URL or description or whatever in a .torrent file be? Perhaps you could store all the info in folder and file names.

Re:RTFS (1)

masshuu (1260516) | more than 5 years ago | (#29343487)

i think ill store my new login info for my new gmail email right here, in case i forget it.

heateddeates007@gmail.com g6Y09@e4

Re:RTFS (5, Insightful)

Anonymous Coward | more than 5 years ago | (#29341955)

Actually, web-based, free emails could be remarkably secure, if people weren't such morons about passwords.

I'd imagine it has more to do with those damn required "Security Questions", many of which use publicly available information.
Even the services which allow you to specify the question and answer are probably no match for a cracker working in conjunction with an Ex.

I'd be more worried about what the crackers do with the knowledge they acquire as far as your other accounts are concerned, sure they may hack the e-mail account for you, but they're just as likely to clear out your bank account afterwords.

Re:RTFS (3, Insightful)

anagama (611277) | more than 5 years ago | (#29342127)

With respect to security questions, I'm more concerned about companies gathering needlessly private info about me. So I make up answers and record those along with my username and password in my encrypted password list.

Re:RTFS (5, Funny)

xaxa (988988) | more than 5 years ago | (#29342819)

"Hello, Student Loans Company, do you have a reference number?"
"Yes, L238BNM"
"Could you tell me the fourth letter of your mother's maiden... hmm... I'm sorry sir, I think there's a problem with the system, please--"
"Is it a hash symbol?"
"Er... yes. And the first letter of your first pet's name?"
"The number 8"
"That's correct."

Re:RTFS (1)

phyreskull (1275388) | more than 5 years ago | (#29343733)

I can see you doing that, if you haven't already...

Re:RTFS (1)

Cheesetrap (1597399) | more than 5 years ago | (#29342359)

I'd imagine it has more to do with those damn required "Security Questions", many of which use publicly available information.
Even the services which allow you to specify the question and answer are probably no match for a cracker working in conjunction with an Ex.

Not if you make the question something absurd like:

greendogsuit-goodsite-gesundheit

And the answer isn't as complicated as it seems:

gir-slashdot-achoo

So long as it makes sense to _your_ brain, it doesn't have to conform to the usual 'security questions' format, and thus you can avoid the associated vulnerability of ex-accessible data. ;)

Re:RTFS (1)

Espinas217 (677297) | more than 5 years ago | (#29342633)

I'd imagine it has more to do with those damn required "Security Questions", many of which use publicly available information. Even the services which allow you to specify the question and answer are probably no match for a cracker working in conjunction with an Ex.

Please, is not so hard to just type some garbage there, long, alpha-numeric garbage.

Re:RTFS (2, Informative)

Jessta (666101) | more than 5 years ago | (#29342019)

and that's a good point.
It seems that passwords are kind of a terrible way to secure things.

Needs more OpenID, client certificates, and HTTPS

Re:RTFS (1)

CharlyFoxtrot (1607527) | more than 5 years ago | (#29342075)

I guess disgruntled lovers wouldn't even have to know the password since they know enough about you to answer the password reset questions.

Re:RTFS (0)

Anonymous Coward | more than 5 years ago | (#29342179)

I doubt my ex knows that my favorite color is "ql7ao3s0ufh-erkw=m0x75la44ilpe".

Re:RTFS (2, Funny)

Anonymous Coward | more than 5 years ago | (#29342647)

Now she does.

Re:RTFS (1)

whopub (1100981) | more than 5 years ago | (#29342895)

Now she does.

My fault, I read it here and... well, I talk while I sleep...

Re:RTFS (3, Funny)

BrokenHalo (565198) | more than 5 years ago | (#29342321)

I guess disgruntled lovers wouldn't even have to know the password

... a good reason to keep your lover gruntled. :-)

Re:RTFS (2, Interesting)

mlts (1038732) | more than 5 years ago | (#29342929)

What I'd like to see would be more ability to use a standardized keyfob (such as RSA's SecurID), a smart card that has one's client certificate, or perhaps both in one device like the Aladdin eToken NG-OTP. Combine this with some type of decentralized but usable authentication system like OpenID, and this would go a long way to making bad or guessed passwords a thing of the past.

Smart cards go a long way to ease authentication hassles, but they bring their own issues, such as card lockouts due to too many failed PIN attempts, lost/stolen/accidently microwaved cards, user training, to malware which captures the PIN on a compromised computer then if the card is still inserted, uses it for its own bad stuff.

Re:RTFS (0)

Anonymous Coward | more than 5 years ago | (#29342029)

You mean that that prince in Nigeria isn't actually gonna give me all is millions for my password (and help)? No way! :P

The problem isn't that web-based e-mails are "insecure", it's that people *are* morons who won't hesitate to give out their password if someone pretends to need it.

Re:RTFS (0)

Anonymous Coward | more than 5 years ago | (#29342131)

If the common user can use passwords effectively, then passwords are broken, not the users. See the sibling [slashdot.org] of your post.

Re:RTFS (4, Insightful)

houghi (78078) | more than 5 years ago | (#29342417)

Sure. That is what people tell me all the time to use a secure password. http://maord.com/ [maord.com] can easily help you with that. So now I have a secure password like cJQKUG4P generated by that website.
Obviously like most people I have a bunch of different logins, many where I was not able to select my own login. To be secure I must use several ones. e.g. one for work, one for the bank, one for mail and one for websites.
9b3MHDHz
m4YBn3t8
vMSLs44e
CsQnP5Fy

These four I must remember and change every month. And that is if I only use four and group my logins. If I want to be really secure, I will use a different one for each login I am able to change the password (17 of them, not calculating the many websites):
UVvCUmE3
Snip 15 random passwords
Lameness filter encountered. Post aborted!
Filter error: That's an awful long string of letters there.

qAv9qZHR

I am not allowed to save them. I must memorize them. Yes, there are other options, like using the first letters of a sentence, but due to the sheer number of logins it becomes impossible.

It is a known fact that people are stupid. If you make something that proves that fact, then the problem is not the moron users, but the designers. I have no clear answer on how to solve it, but I would start with removing the forceful changing of passwords every month. That WILL lead to weaker passwords.

Re:RTFS (0)

Anonymous Coward | more than 5 years ago | (#29343125)

Those passwords are not practical unless you remember them. I use passwords derived from sentences. They are much longer then the ones you posted and someone has a better chance of remembering them (so they are not written down somewhere).

"My office phone number is 202-555-1212"
"My license plate number is JET-1283"
"I drive a 2006 Hyundai Elantra"
"Clariion CX3-80 with 14 daes"
"Cisco 4500 with IOS 12.4"
"HP DL380-G6"
"We just upgraded to ESX 4i with shared storage"

Re:RTFS (1)

houghi (78078) | more than 5 years ago | (#29343697)

Great if you are able to do that. I have problems remembering what the sentence was this month for each of them and would confuse them with the ones for last month. The majority of people have the same problem.

There are two ways around this. 1) Alter the people. 2) Alter the system

1) is tried now for many years and it does not seem to help. Perhaps it is time to think about changing 2)

Or we can just keep blaming the people for being morons and sit on our ivory throne laughing at these morons and be able to blame them for the insecurity of our infallible system.

Re:RTFS (1)

jhol13 (1087781) | more than 5 years ago | (#29342635)

How do these web-mails work at repeated login attempts?
"Kill" the account?
Kill attempts from that IP?
Kill attempts for a limited time?
What about if the attempts come from several different IPs (but more or less at the same time)?

If designed well even easy-to-remember-but-not-totally-trivial passwords can be very hard to crack.

I agree the security questions are a bad idea, unless they have much faster "kill switch".

Re:So wait... (2, Funny)

Cheesetrap (1597399) | more than 5 years ago | (#29341623)

You mean people actually still think that web-based, free emails are secure?

But of course they are, they have the big pictures of padlocks on the front page... and you even get that certificate popup thing, that means it's SUPER secure!

Re:So wait... (4, Insightful)

linhares (1241614) | more than 5 years ago | (#29341757)

You mean people actually still think that web-based, free emails are secure?

As opposed to a client-based email, where you can simply get it all through the filesystem? Physical access is game-over. So if you have 30min with your ex's machine, that's pretty much game over, if residing in clients.

Re:So wait... (1)

Jucius Maximus (229128) | more than 5 years ago | (#29341803)

"As opposed to a client-based email, where you can simply get it all through the filesystem? Physical access is game-over. So if you have 30min with your ex's machine, that's pretty much game over, if residing in clients."

I've been storing my Thunderbird folders inside a truecrypt container for some time now. It's peace of mind.

Re:So wait... (3, Informative)

linhares (1241614) | more than 5 years ago | (#29342147)

until she installs a keylogger. Physical access is game over.

Re:So wait... (0)

Anonymous Coward | more than 5 years ago | (#29343657)

Be careful about what TrueCrypt can can't can't protect against. You can have TC volumes with the keyfile stored in the bottom of Mount Doom, a 64 character passphrase, a triple cascade, and fake volume headers. However, if an attacker is able to use your computer while those volumes are mounted, it will do you no good at all.

One good practice when using TrueCrypt is to compartmentalize, but this does take time mounting and unmounting containers. When done with your TB E-mail, unmount the volume. When just browsing the Web, unmount everything that isn't related to it.

Re:So wait... (1)

hansamurai (907719) | more than 5 years ago | (#29342249)

Well, if you have 2 minutes with your ex's machine, chances are either they're already logged into their webmail, or their password is saved.

Re:So wait... (1)

ScrewMaster (602015) | more than 5 years ago | (#29342623)

You mean people actually still think that web-based, free emails are secure?

As opposed to a client-based email, where you can simply get it all through the filesystem? Physical access is game-over. So if you have 30min with your ex's machine, that's pretty much game over, if residing in clients.

I had no problem getting my ex-girlfriend's email ... after all, it was residing on my server. As it happened, the only interest I had in it was getting rid of it to reclaim some disk space (the girl didn't understand that you're supposed to delete things now and then.)

Re:So wait... (1)

19thNervousBreakdown (768619) | more than 5 years ago | (#29343019)

Jesus Christ you had your GF's mail on your server? I run my own mail server too, never felt comfortable doing that. I run mail for a couple friends, never been tempted to look and wouldn't look if I was tempted, but I would never give myself that kind of access to someone I was screwing, and besides, what happens when you break up? I guess she lost her e-mail address?

I guess you don't have to worry about things like that when you're ScrewMaster though.

Re:So wait... (1)

ScrewMaster (602015) | more than 5 years ago | (#29343295)

Jesus Christ you had your GF's mail on your server? I run my own mail server too, never felt comfortable doing that. I run mail for a couple friends, never been tempted to look and wouldn't look if I was tempted, but I would never give myself that kind of access to someone I was screwing, and besides, what happens when you break up? I guess she lost her e-mail address?

I guess you don't have to worry about things like that when you're ScrewMaster though.

Well, I'm just point-blank not interested in anything that doesn't concern me. Really, I hate nosy people and I take great pains not be be one of them. So yes, I do take my privacy seriously, but that means I need to take others' seriously as well. Everything on my server is encrypted anyway, so I couldn't read it even if I wanted to. I didn't and I don't.

And no, she didn't lose her email address until she told me she didn't need it anymore. Just because she was a psychotic witch was no reason for me to be a prick. Tempting as it was, I generally feel better if I don't give in to the Dark Side. Anyway, she got a Yahoo account or something like that. As for me, I just wanted the disk space back.

Re:So wait... (0)

Anonymous Coward | more than 5 years ago | (#29341795)

Encrypt! Encrypt! Encrypt!

No resources to investigate misdemeanors? (0)

Anonymous Coward | more than 5 years ago | (#29341621)

No resources to investigate misdemeanors? No problemo then - just post it on /. and I'm sure we'll shlashdot them out of business.

Blaming the tools, instead of the behaviour... (3, Informative)

Cheesetrap (1597399) | more than 5 years ago | (#29341695)

"normally it's hard to know when an account has been compromised, because e-mail snooping doesn't leave a trace."

Well that's incorrect. I'd be fairly confident that most web-based email services have a way of telling when you logged into your account last (otherwise how would they know when to deactivate your account after X months of inactivity?) - they simply choose not to allow Joe Average to access this information.

Re:Blaming the tools, instead of the behaviour... (4, Insightful)

PIBM (588930) | more than 5 years ago | (#29341817)

GMail has a nice line at the bottom, telling you from which other computer you are connected, when you last took any action, and then some more details. Anyone can take a look at it, but I don't expect much of their users to know what that is for, nor to check it everytime they login ...

Re:Blaming the tools, instead of the behaviour... (3, Insightful)

Hrdina (781504) | more than 5 years ago | (#29342027)

The problem with that little notice is that if you have a lot of email in your inbox, you have to make an effort to scroll down to see it.

Most people don't make efforts.

Maybe if the last activity notice were in the sidebar or near the top of the screen it might be more effective.

I also love how the lead-in to the story discusses a woman who apparently became jealous because her "married boyfriend" was cheating on her...

Re:Blaming the tools, instead of the behaviour... (1)

Thanatos81 (1305243) | more than 5 years ago | (#29342605)

The problem with that little notice is that if you have a lot of email in your inbox, you have to make an effort to scroll down to see it.

There is this little key on most keyboards that's imprinted with "end". One press and all the way down you go ;-)

Re:Blaming the tools, instead of the behaviour... (1)

flamingnight (234353) | more than 5 years ago | (#29343199)

One press and all the way down you go ;-)

Ooh, look. Turtles!

Seriously though, most people don't know what an IP address is, and don't care. There are ways that this could be made easier (when you log in from a "new-to-gmail" IP more than a few times, have it ask you to label as Home/Work/Friend's House/etc), but 1.2.3.4 means nothing to most people outside of /. It's just that computer-speak anyway and "I never need to worry because I've got this friend in Nigeria who's giving me lots of money".

Re:Blaming the tools, instead of the behaviour... (1)

Hrdina (781504) | more than 5 years ago | (#29343555)

Pressing one key (two if you count going back to the top) is exactly the kind of effort that most people don't make. :-D

Ex-lovers? (-1)

Anonymous Coward | more than 5 years ago | (#29341709)

I would have thought that it would be more lovers who think that their lover is untrue to them and want to find out whether this is actually the case. But why would you care about your ex-lovers new love-affairs?

Re:Ex-lovers? (1)

selven (1556643) | more than 5 years ago | (#29341767)

Once you lose trust to that extent, you're done.

Re:Ex-lovers? (1)

linhares (1241614) | more than 5 years ago | (#29341829)

divorce dollars?

Re:Ex-lovers? (0)

Anonymous Coward | more than 5 years ago | (#29343463)

People forget that having password access to an ex doesn't just give access to E-mails. It gives access to send stuff out as that person. Most judges and juries believe that if mail came from a certain E-mail address, there is no reason why it would not have come from that person, even past reasonable doubt.

So, someone who manages to obtain access can get the true owner of that account into serious felony-hard trouble, serious civil legal trouble, and on a lesser level, destroy that person's relationships.

This goes on in universities, where people out of malice obtain someone else's userID on campus, then drop them from all their courses. Most people wouldn't catch this until profs receive notice the person dropped, but is still in the class. Or someone turning in a bogus paper in the name of their victim to get them to not just fail a course, but fail on account of academic dishonesty.

compromised (5, Insightful)

Korbeau (913903) | more than 5 years ago | (#29341727)

And part of the reason is that normally it's hard to know when an account has been compromised, because e-mail snooping doesn't leave a trace

Simply do like most client systems and put in big red bold: "someone tried to connect to your account 32 times from w.x.y.z ...", and keep something like a 30 days log of connection history browsable somewhere. I'm sure modern techniques can also be used to highlight strange connection patterns and/or unusual connection location. Although it's far from perfect it at least gives some basic tools to be aware and deal with this situation. And if the hackers know their address is not only logged in an obscure web log but also available to the user (with a nice helpful tips page about what to do and who to contact when you're a victim) it would probably intimidate part of them.

Re:compromised (4, Insightful)

girlintraining (1395911) | more than 5 years ago | (#29341959)

Simply do like most client systems and put in big red bold: "someone tried to connect to your account 32 times from w.x.y.z ...", and keep something like a 30 days log of connection history browsable somewhere.

Yeah, because the average person is going to know what subnet or network they're coming in from. And they'll remember that time they logged in from the coffee house. No -- the information is useless to the average person because they don't know how to interpret it. It'd be like me telling you that the R0 of variola vera is about 6.5. Meaningless to you in this context.

Re:compromised (1, Interesting)

Anonymous Coward | more than 5 years ago | (#29342433)

It'd be like me telling you that the R0 of variola vera is about 6.5. Meaningless to you in this context.

But people might just remember at what time the logged in. Time is quite a common concept in modern society. That said, your estimate on smallpox contagiousness is rather optimistic (depending on your viewpoint: http://www.ncbi.nlm.nih.gov/pubmed/11742399

Re:compromised (3, Insightful)

ScrewMaster (602015) | more than 5 years ago | (#29342631)

No -- the information is useless to the average person because they don't know how to interpret it.

So? Help them interpret it. That's what computers are for. You can't tell me that that raw data can't be presented in some way that does make sense to Average Joe and at least gives him the idea that somebody is screwing with him.

Re:compromised (0)

Anonymous Coward | more than 5 years ago | (#29343593)

Yes, but then it becomes a problem of education. How do you educate users who don't care to read what's on the screen, even if it's for their own good?

Re:compromised (1)

nitroamos (261075) | more than 5 years ago | (#29342049)

for websites, it's super easy to see who's visited, with many online services providing this.

why isn't there a way to attach a counter to your inbox (i'm looking at gmail)? could it be embedded in a custom theme?

Re:compromised (1)

Threni (635302) | more than 5 years ago | (#29343395)

So Gmail tells me that someone's tried to guess my password - so what? What am I supposed to do with this information? Which part of a hacker would be intimidated by the fact that the IP address of the proxy(s) they are using is logged somewhere?

Slashdotted (-1, Redundant)

Anonymous Coward | more than 5 years ago | (#29341751)

Anyone else think it's rather funny the YourHackerz website is getting pwn'd by Slashdot right now?

Text of the Article (3, Funny)

Anonymous Coward | more than 5 years ago | (#29341763)

Password Hackers Are Slippery To Collar

By Tom Jackman
Washington Post Staff Writer
Monday, September 7, 2009

When Elaine Cioni found out that her married boyfriend had other girlfriends, she became obsessed, federal prosecutors say. So she turned to YourHackerz.com.

And for only $100, YourHackerz.com provided Cioni, then living in Northern Virginia, with the password to her boyfriend's AOL e-mail account, court records show. For another $100, she got her boyfriend's wife's e-mail password. And then the passwords of at least one other girlfriend and the boyfriend's two children. None had any clue what Cioni was doing, they would later testify.

Cioni, however, went further and began making harassing phone calls to her boyfriend and his family, using a "spoofing" service to disguise her voice as a man's. This attracted the attention of federal authorities, who prosecuted Cioni, 53, in Alexandria last year for unauthorized access to computers, among other crimes. She was convicted and is serving a 15-month sentence.

But such services as YourHackerz.com are still active and plentiful, with clever names like "piratecrackers.com" and "hackmail.net." They boast of having little trouble hacking into such Web-based e-mail systems as AOL, Yahoo, Gmail, Facebook and Hotmail, and they advertise openly.

And, experts said, there doesn't appear to be much anyone can do about it.

"This is an important point that people haven't grasped," said Peter Eckersley, a staff technologist for the Electronic Frontier Foundation in San Francisco. "We've been using e-mail for years, and it's been insecure all that time. . . . If you have any hacker who is competent and spends the time and targets you, he's going to get you."

Federal law prohibits hacking into e-mail, but without further illegal activity, it's only a misdemeanor, noted Orin Kerr, a law professor at George Washington University and a former trial attorney in the Justice Department's computer crime section.

"The feds usually don't have the resources to investigate and prosecute misdemeanors," Kerr said. "And part of the reason is that normally it's hard to know when an account has been compromised, because e-mail snooping doesn't leave a trace."

Every state has laws roughly similar to the federal computer laws, Kerr said, and rate the offenses as misdemeanors.

Not long after Gov. Sarah Palin of Alaska was named the Republican nominee for vice president last year, someone hacked into her personal Yahoo e-mail accounts. And as the election neared, someone at George Mason University hacked into the e-mail of the school's provost and sent a schoolwide e-mail saying the election date had been changed.

"Web Based email password hacking or cracking is one of our all time favourite and unique hobby," write the folks at YourHackerz.com. It's not clear where YourHackerz.com is located, but experts suspect that most of the businesses are based overseas. "We will provide you with the original Passwords. No questions asked whatsoever. Payment only after you are CONVINCED. 100% guarantee of Cracking. Total privacy of your information. No legal hassles."

At SlickHackers.com, they boast, "We are professionals interested in helping serious people for whom an email password would mean saving their marriage, knowing the truth, preventing a fraud, protecting their family/job/interests only when conventional ways and normal procedures do not work."

All the services advertise that they will e-mail a screenshot of the target's in-box or even send an e-mail from the target's e-mail as proof that they've cracked the password. The customer then sends payment. One service, whose fee is only 20 British pounds (about $33), then responds with the script from a scene from a Shakespeare play, with the stolen password hidden in the copy.

E-mail inquiries to several of these services did not elicit any responses.

The FBI cannot police the Internet, a spokesman said. "The FBI is aware of these illegal services," spokesman Paul Bresson said, "and we have been successful in the past in identifying criminal activity and working with prosecutors to bring indictments. Users of these services should know that just because a product is marketed on the Internet doesn't mean it's legal."

But agents must be made aware of specific illegal acts occurring in this country before they can pursue a provider, Bresson said. They can't investigate an online service without evidence of a particular crime in the United States.

"This kind of thing has been on the radar of law enforcement already," said Alissa Cooper of the Center for Democracy and Technology in Washington. But with many of the hackers overseas, "in practice it takes a lot of resources and time to build up relationships with [law enforcement] in other countries. They're starting to do that in the cybersecurity realm."

Experts said there are numerous ways to steal someone's e-mail password, from simply guessing at family names or pet names to high-tech infiltration. The most common way is to send the target a link to a greeting card or something else they might specifically be interested in. When the target opens the link, software is installed on his or her computer that snatches the password the next time it's typed in and sends it to the hacker. Web-based e-mail, such as Google's gmail and Yahoo, can also be attacked through bugs in the Web browser, Eckersley said.

"The unfortunate news is there's rather less of computer security than we would want," Eckersley said. "We think of a computer as being incredibly sophisticated. But as it does more, it actually becomes less secure."

Another problem is that many computer users are not terribly computer savvy. "As human beings, we don't have good intuitions about the internal workings of computers. Ninety percent of us make the wrong decision when something pops up about accepting an unauthorized certificate. It's really saying, 'Do you want to be hacked?' "

The Electronic Frontier Foundation published a brochure this summer for people wanting to avoid government detection in international hot spots, including Iran and Burma, but the tips apply universally, Eckersley said. Beware of malware, such as viruses, worms and keystroke loggers. Choose the least risky communication channels. Use encryption. Use different passwords for everything. Eckersley said changing operating systems and carrying all important data on portable disks is another step, if a burdensome one.

The tips are available on the EFF's Web site.

But "if you're an ordinary person and afraid you have an ex-lover who wants to hack you," Eckersley advised, "you're probably better off not using computers for the kinds of communications you want to keep secret."

Once authorities decide to follow a hacker, it's not difficult to determine the source. An FBI agent investigating Cioni simply subpoenaed her phone and e-mail records from the various providers, which showed that she had used e-mail and PayPal to enlist YourHackerz in her quest. A search of her computer found fragments of her targets' e-mail in-boxes.

Then, according to testimony at her trial, when she called her boyfriend, she mentioned material that could be known only by those who had read her boyfriend's e-mail.

Moo, moo. (4, Interesting)

girlintraining (1395911) | more than 5 years ago | (#29341781)

Yeah, well I'd say it's a big reason why I get phone calls. I hung my shingle out a long time ago about being a computer geek. People usually come to me for one of three reasons: First, their computer's suddenly running slow. "But I've tried everything." Malware is the main reason. Second is "It won't turn on anymore." Coffee spill on laptop, or HDD failure without error message. And the third most common reason: "I want to ruin someone's life! You're a hacker, right?"

Of course, these are my friends, not strangers. I usually oblige them by asking if they knew what common passwords their ex used, any websites they frequented, the full spelling of their name, date of birth, and social security number. And the strange part is: They usually know all of these things. You know what I do then? Nothing. Not a damn thing. I sit down and have a long talk with them about personal security and how just like we don't go out alone at night (I'm a girl. Most of my friends are girls -- I know most of you are dudes and don't think about it much), we also need to take precautions online! This is usually said while saying what a bastard the guy was. And I give them a pat on the head, some candy I keep around for this purpose, and send them on their way.

I'm a white hat (eh, most of the time). But a lot of people just like me know this about others because they've hung their shingle out too and announced they're a geek. And not all of them are going to have an ethical hangup about sucking up all your personal data, hacking your accounts, and leaving "I have a small penis" written to all your friends. Because really... The average person if you do go through all the effort to get them access just sits there feeling all powerful for a minute and then does something incredibly juvenile that'll make you wish you'd done your laundry instead of wasted two hours at the keyboard.

My advice to you people: Love your partner. But do not give them the root password!

P.S. Only once ever have I done a spot of sleuthing that I felt was worth it -- when I discovered a friend-of-a-friend was dating a terrorist. No, I don't mean the fluffy-bunny kind that the media portrays either (everything is terrorism these days). No, I mean the guy came overseas, setup shop over here, and was doing serious criminal enterprise and had cases open with a half-dozen agencies. A few days later, a police officer informed her that if she valued her life, she should cease contact with him immediately. Fun times. Everything else though? Boring as shit.

Re:Moo, moo. (0)

Anonymous Coward | more than 5 years ago | (#29341963)

Funny how I never had any friend asking me to hack into an "ex"s puter.
Either I have friend with high morals, or I have friends that think I would never go so low as helping them out with juvenile actions (well, ok, or I have friends that do not trust me as a hacker).
I only once did voluntarily snoop on someone else's account, and it actually was beloved one - in a period of sentimental turmoil.
But maybe these different patterns relate to the fact that I am male?

Re:Moo, moo. (3, Interesting)

girlintraining (1395911) | more than 5 years ago | (#29342015)

But maybe these different patterns relate to the fact that I am male?

More likely it's that girls have a lot more aqaintances and casual contacts than men do... And that we gossip so that people who know of us extends beyond a few close friends and coworkers but into the friend-of-a-cousin-of-a-friend's boyfriend scope. That, and most guys just want to be done with the drama and suffer in silence when it ends. Girls don't usually skip the part of the process that entails great amounts of fire and brimstone. Of course, in the end it's all a tempest in a teapot, but that doesn't stop them from beating a path to my door and getting Lecture #46.

Re:Moo, moo. (1)

Anonymous Coward | more than 5 years ago | (#29342093)

I would think all the sexual stereotyping would be beneath you.

Re:Moo, moo. (1)

Bacon Bits (926911) | more than 5 years ago | (#29343013)

It's not a stereotype if it's her observed reality. Anecdote is not data, but personal experience is not stereotype.

Re:Moo, moo. (1)

Nathrael (1251426) | more than 5 years ago | (#29343153)

As sad as it is, there is quite a lot of truth to gender stereotypes. Sure, they have changed in time, but there still is typically male and typically female behavior (hey, don't look at me, I'd love to see female engineers and scientists just as much as you do).

Re:Moo, moo. (0)

Anonymous Coward | more than 5 years ago | (#29342185)

what i find funny is that it is said that women are more mature than men.....
and yet they are prone to petty and dramatic behaviour.......

Re:Moo, moo. (1)

Runaway1956 (1322357) | more than 5 years ago | (#29342709)

Don't tell anyone the unknown fact that most people use the same password for everything. I was interested in a certain female, so I gained physical access to a machine that person used, booted with a Live-CD, and sent the log-in files to a networked hidey hole. John the Hacker later cracked the password for me. The same password logged me into 3 different webmails, Yahoo, Myspace, and some sex-for-sale sites, as well as a couple gay sites. Of course, IE's and XP's handy log features had already told me which sites to visit.

The whole exercise was educational. At my age, few things surprise or shock me, but I was surprised at how ACTIVE this individual was! More than half the activity was substantiated with some "casual" observation and interviews. All of this just made me want to beat the crap out of the young man who was foolish enough to get involved with the skank, but that's another story......

Re:Moo, moo. (2, Insightful)

bickerdyke (670000) | more than 5 years ago | (#29342939)

That, and most guys just want to be done with the drama and suffer in silence when it ends.

we save that for the next common cold...

Re:Moo, moo. (-1, Offtopic)

Anonymous Coward | more than 5 years ago | (#29342333)

my thoughts about your post:

"I'm a girl. Most of my friends are girls"

1. Yeah right
2. FBI?
3. we need pics of you and said female friends to know if you are telling the truth

"I'm a white hat"
Wait a minute.. a girl and a white hat... does that mean that "white hat" is some kind of witch rank? or does it mean you only use white magic?

PS. I'm totally joking...
PPS. Except for the pics part...
PPPS. Anonymous Coward ftw

lemme get this straight (0)

Anonymous Coward | more than 5 years ago | (#29342423)

This slut had no problem with the guy having a WIFE, yet when she found out about other bitches he was fucking on the side, that was not acceptable? The mind boggles.

ain't no girls on the interwebs (-1, Troll)

Nyder (754090) | more than 5 years ago | (#29342619)

Okay, you know the drill, TITS or GTFO

Ain't no girls on the internet.

So your a trap, or a messed up dude trolling us.

Next time, pics will help

Re:Moo, moo. (0)

Anonymous Coward | more than 5 years ago | (#29343163)

when I discovered a friend-of-a-friend was dating a terrorist. No, I don't mean the fluffy-bunny kind that the media portrays either (everything is terrorism these days). No, I mean the guy came overseas, setup shop over here, and was doing serious criminal enterprise and had cases open with a half-dozen agencies. A few days later, a police officer informed her that if she valued her life, she should cease contact with him immediately.

Damm I wish I thought of that way to dump a crazy x and her crazy hacker friend.

Trivial. (1)

fiendishfish (1528805) | more than 5 years ago | (#29341825)

I am pretty sure they just utilise the 'recover your password' function, as the spouses/relations probably know what the answers are. I seriously doubt they'd even consider bruteforcing/dictionary attacking Hotmail or the like.... As they have a limited amount of attempts to use. It'd be interesting to see how they'd hack an account with a ridiculously long password like: '>AFD,!21)£"($£$3La57~}{' and with a bogus answer to a secret question. I think not 'YourHackerz'. Also, has the website suffered the wrath of the 'Slashdot effect'?

Re:Trivial. (1)

lastomega7 (1060398) | more than 5 years ago | (#29342001)

a ridiculously long password like: '>AFD,!21)£"($£$3La57~}{'

That's amazing. I've got the same password on my luggage!

Re:Trivial. (1)

ninjapiratemonkey (968710) | more than 5 years ago | (#29342549)

That's the stupidest password I've ever heard in my life! The kind of thing an idiot would have on his luggage!

Re:Trivial. (1)

PRMan (959735) | more than 5 years ago | (#29342113)

ridiculously long password like: '>AFD,!21)ã"($ã$3La57~}{'

No, they just have to visit Slashdot, where geeks brag about their "unbreakable" passwords.

(Note: to avoid any unsightly "whoosh" moments, I know that that isn't really his password. It's a joke, people!)

Re:Trivial. (1)

raju1kabir (251972) | more than 5 years ago | (#29343043)

What's the counterpart to "whoosh" for someone who explaineth too much?

Re:Trivial. (1)

guyminuslife (1349809) | more than 5 years ago | (#29343233)

*cricket noise*

Re:Trivial. (1)

bemymonkey (1244086) | more than 5 years ago | (#29342201)

That's what I'm wondering, actually. As a Gmail user with a relatively long and complicated password, how would these services go about hacking into my Gmail account? All connections in and out are SSL'd, I don't use public WiFi without a VPN, my home WiFi is secured relatively well... Short of e-mailing me a trojan, what options do these guys have?

Re:Trivial. (2, Insightful)

geminidomino (614729) | more than 5 years ago | (#29342699)

That's what I'm wondering, actually. As a Gmail user with a relatively long and complicated password, how would these services go about hacking into my Gmail account? All connections in and out are SSL'd, I don't use public WiFi without a VPN, my home WiFi is secured relatively well... Short of e-mailing me a trojan, what options do these guys have?

Your password may be long and complicated, but examine closely at your "security questions." If the client has been lubing your junk, odds are that she knows your dog's name is Archibald and your favorite color is mauve.

"Forgot my password" indeed.

Re:Trivial. (1, Insightful)

Anonymous Coward | more than 5 years ago | (#29342853)

Actually, my favorite colour is 'spaghetti' and my dog's name is 'A Winter's Tale'.

Re:Trivial. (1)

mlts (1038732) | more than 5 years ago | (#29343239)

One system I've thought of for security questions requires a simple app on a cellphone. App asks for a password, then when you type in what it wants for a security question, it SHA-256 hashes the question + the password [1], drops all but the first x characters, and then you use the x (10+ depending on the system, preferably 15-20) amount of characters in the result as the answer.

This way, its easy to have your answer to security questions, you can enter almost anything in for the question, but yet nobody would be able to get the answer without brute forcing your password on your cellphone app.

[1]: For additional security, the program can hash stuff a large number of times to help combat brute forcing.

Re:Trivial. (1)

raylu (914970) | more than 5 years ago | (#29343705)

But this makes your password recovery questions worthless in case you actually do forget your passwords, so you might as well enter "ashfiuwafewufiawhf" as your answer.

Re:Trivial. (1)

mlts (1038732) | more than 5 years ago | (#29343289)

I keep having people hit up my Gmail account with lost password queries, usually about 3-4 times a week. Even though those mails are routed to a junk mailbox designed for that, all it would take is accidently clicking on one of the recovery links to lose control of the account.

I do wish Gmail would have an option to require someone trying to obtain a gmail password to pass the challenge/response questions before it sends a link to recover. This isn't foolproof, but it will keep Joe Skiddy from being able to blanket gmail with PW requests in hopes someone clicks on a link.

Re:Trivial. (3, Informative)

Anonymous Coward | more than 5 years ago | (#29342485)

Heh, you're over estimating the level of skill involved.

There are some interesting discussions of how these services work here:

crackpal.com [mcgrewsecurity.com]
crackmails.net [mcgrewsecurity.com]

Go to jail AND lose your divorce case (4, Insightful)

davidwr (791652) | more than 5 years ago | (#29341867)

Sure, you may uncover evidence of unfaithfulness in your divorce case, but your winnings in divorce case will be offset when you go to jail for computer trespass and the victim [your ex] sues the invader [you] for mega-bucks.

Oh, and if you tell your lawyer where you got the goods, it will trigger HIS ethical obligations. Yes, lawyers have ethical obligations, even those with no ethics.

Re:Go to jail AND lose your divorce case (0)

girlintraining (1395911) | more than 5 years ago | (#29342071)

People who go to jail aren't exactly of the "mega-bucks" variety. They're usually of the "I was too poor to buy myself a get out of jail free card."

Oh, and if you tell your lawyer where you got the goods, it will trigger HIS ethical obligations.

Yeah, he'll tell you he can't use it in a civil case. If it were a criminal case, however, he'd present it to the police as a "reasonable suspicion" and get a warrant to get the evidence legally.

Yes, lawyers have ethical obligations, even those with no ethics.

In the case of lawyers without ethics, you can be assured they will state their ethical obligations can be waived for a fee.

Re:Go to jail AND lose your divorce case (0)

Anonymous Coward | more than 5 years ago | (#29342073)

Not unless you're being stupid about it. Forbidden knowledge is dangerous, because you can inadvertently reveal how you got it, but it is also power, because when you know what you're looking for, you know where to look in a legal way and find what you already know.

Re:Go to jail AND lose your divorce case (1)

mlts (1038732) | more than 5 years ago | (#29343139)

I wonder if in a case like this, the ex can make up where he/she found the info, to hide the real source. For example, it could be claimed that the passwords were gleaned through a keylogger or a hidden camera. Unless the other attorney knows what questions to ask, there would not

Password hints (5, Funny)

PPH (736903) | more than 5 years ago | (#29341883)

What is your girlfriend's name? Let's see the wife try to guess that one.

Re:Password hints (1)

yoma666 (1083023) | more than 5 years ago | (#29343543)

Euhm she's bound to try the name you moan every night in your sleep? It's what started her off in the first place!

Double Standards... (5, Interesting)

fiendishfish (1528805) | more than 5 years ago | (#29341909)

Quite a ingenius scam really. The following link - http://www.complaintsboard.com/complaints/yourhackerzcom-c141692.html [complaintsboard.com] [complaintsboard.com] - suggests that they take your 'hard earned money' and then blackmail you. Saying that they will tell the person you are trying to 'hack' if you don't send them $1000. It made me lol.

How to secure against this (4, Insightful)

MaraDNS (1629201) | more than 5 years ago | (#29341953)

There are two ways an advisory can obtain one's password:

  • They can have a machine on the same LAN sniff their password
  • The advisory can use dictionary attacks, based on the person's personal information, to obtain the password.

The first attack can be countered by using Gmail with things set up to always use https for connections (near the bottom of the "settings" page).

The second attack can be countered by using a secure password that is easy to remember but hard to guess. For example, "MaraDNS.org" would not be a very good password for this account, however "otif10md" ("One time I fell 10 meters down") would be a good password. Or, in my case, I use a secure hashing algorithm where a common secret is concatenated with the name of the website I visit to get a secure password, akin to using the Md5 sum of "This is secret;slashdot.org" to get a password.

Re:How to secure against this (2, Insightful)

fiendishfish (1528805) | more than 5 years ago | (#29342025)

Yes, but you have to take into consideration that if the company was real, they wouldn't be operating locally. They'd be operating remotely. Which pretty much rules the former situation out.

Also, I was convinced that SSL was the de-facto standard for GMAIL and other web-mail services...

As I said in my previous post, it has been reported that the 'hackers' are merely scamming peoples money (as expected) and not delivering the service.

Re:How to secure against this (0)

Anonymous Coward | more than 5 years ago | (#29343315)

Also, I was convinced that SSL was the de-facto standard for GMAIL and other web-mail services...

You'd be half-wrong then. GMail (and hopefully all webmail) does authenticate over SSL so password sniffing won't work. After that, however, all your email is transferred is in the open unless you understand to check the box...

Re:How to secure against this (1)

Locklin (1074657) | more than 5 years ago | (#29342135)

Or, in my case, I use a secure hashing algorithm where a common secret is concatenated with the name of the website I visit to get a secure password, akin to using the Md5 sum of "This is secret;slashdot.org" to get a password.

I'm curious. Assuming your attacker knows that you use a common hash (and can easily guess which one), what do you gain over just using "secretpassword;slashdot.org?" If the attacker was going to use a dictionary attack, it would require the same number of guesses with and without the hash (or perhapse a measily 5 or 10x if the attacker has to try several hashing algorithms).

Re:How to secure against this (1)

nedlohs (1335013) | more than 5 years ago | (#29342323)

Because if someone finds that your slashdot password is "25bf4e9796" it doesn't really help them work out that your amazon password is "ebf97d7aa8".

But you only need to remember one password, hopefully a slightly better one than that example...

And of course you would not usually use the actual md5 sum hex output, you'd use an encoding that gives you more than 4 bits per byte and manages meet the usual password restrictions.

Re:How to secure against this (1)

Cheesetrap (1597399) | more than 5 years ago | (#29342467)

Or, in my case, I use a secure hashing algorithm where a common secret is concatenated with the name of the website I visit to get a secure password, akin to using the Md5 sum of "This is secret;slashdot.org" to get a password.

I'm curious. Assuming your attacker knows that you use a common hash (and can easily guess which one), what do you gain over just using "secretpassword;slashdot.org?" If the attacker was going to use a dictionary attack, it would require the same number of guesses with and without the hash (or perhapse a measily 5 or 10x if the attacker has to try several hashing algorithms).

Because if you use this password method to create an account on an unscrupulous/insecure site, or manage to get phished, even for a minor account, then they know your 'secret' and can very easily hijack all of your accounts. And yes, there are still plenty of services out there storing in plaintext.

ha (2, Funny)

Anonymous Coward | more than 5 years ago | (#29341985)

The headline implies that the hackers are doing business with THEIR ex-lovers, which didn't make much sense, considering that the average nun has more sex than the average hacker...

Sounds about high that ... (1)

lbalbalba (526209) | more than 5 years ago | (#29342235)

... some high level expert engineers seriously start thinking about ways we *can* detect e-mail snooping has taken place ...

How do they work? (5, Interesting)

Anonymous Coward | more than 5 years ago | (#29342335)

If you're curious how these things work, here's a write-up of a typical example of one of these services [mcgrewsecurity.com] .

Re:How do they work? (1)

guyminuslife (1349809) | more than 5 years ago | (#29343053)

Wow, that's an incredibly lame way to get someone's password.

I'm betting people fall for it, too.

I don't like snoopers! (2)

Amester (1507943) | more than 5 years ago | (#29342365)

Some folks really need to get a life, if they feel they have to snoop on their significant other like this.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?