Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

IP Lawfirm Sues Typosquatting Security Researcher

timothy posted more than 2 years ago | from the sure-would-be-a-shame-if-somethin'-was-t'-happen dept.

Crime 101

First time accepted submitter scottbee writes "A major New York intellectual property lawfirm has filed a $1m lawsuit against domain squatter/security researcher Wesley Kenzie (aka Securikai). Kenzie registered domain names to collect misaddressed email, and then holding companies to ransom claiming he had found security vulnerabilities and would consult for five figure engagements. Lockheed Martin handled it with a simple UDRP, but the Gioconda Law Group decided instead to file a lawsuit for 'cybersquatting, trademark infringement and unlawful interception of a law firm's private electronic communications in violation of federal laws,' along with a permanent injunction. Kenzie had also tried the same tactic against Rapid7's HDMoore, but was shamed out of the domain names earlier this year."

cancel ×

101 comments

Sorry! There are no comments related to the filter you selected.

He should have gotten first post on the domain (-1)

Anonymous Coward | more than 2 years ago | (#40431251)

Then we wouldn't have this problem.

Scummy (3, Insightful)

Anonymous Coward | more than 2 years ago | (#40431287)

Well this Kenzie guy seems to exhibit some pretty scummy behavior. However that bad behavior does not equate to "unlawful interception of a law firm's private electronic communications in violation of federal laws" (at least as I understand the law). He received emails addressed to his legally acquired domain. I don't know if intent plays into the law on this or not - obviously he did intend to get these emails, so maybe that does make him culpable. I am obviously not a lawyer. But as an average citizen, I can say that bad behavior like his should not be rewarded. So hopefully he doesn't make any more money on schemes like this. Just because the way things are setup allows people to be an asshole doesn't mean that they should act like an asshole.

Re:Scummy (1)

arbiter1 (1204146) | more than 2 years ago | (#40431351)

I agree if he bought the domains legally and mail was sent to those he didn't unlawful interception anything since it was sent to a domain he owned. It would be like a letter from someone else ending up in my mail box and cause i took it outta my mail box its tampering with the mail.

Re:Scummy (5, Insightful)

Charliemopps (1157495) | more than 2 years ago | (#40431539)

No, it'd be like if you had your name legally changed to Mitch Romney, moved in across the street from Mitt Romney, waited until you inevitably got some of his mail and then threatened to release it to the public unless he paid you a consulting fee. What this guy did was wrong, but sadly this is very likely going to result it poorly written court decisions or even laws that end up being used powerful people and organizations to squelch competition. Much like existing cyber squatting laws have been abused.

Re:Scummy (0)

Anonymous Coward | more than 2 years ago | (#40431661)

You've got the best handle ever.

Re:Scummy (3, Interesting)

sirlark (1676276) | more than 2 years ago | (#40432883)

I've always wondered about this sort of thing. Specifically how useful those disclaimers are at the end of company emails; This email may contain confidential information intended solely for the recipient. blah blah blah. Well the recipient (in the technical sense) is whoever the email is addressed to; bob@company.com or bob@compnay.com are two different recipients. Also, these emails are almost always sent in clear text, making it pretty clear the sender doesn't give a rat's ass about the recipients right to privacy. Yes this guy was being a dick, but I wouldn't call it illegal. I would argue that it's not like moving in next to Mitt Romney. It's more like renting the post box next to his, and people sending mail to mitt romney at the wrong postbox number without using envelopes. Sender's fault.

Of course, to be fair, the domain squatting thing is more like renting thousands of post boxes all over the place, and reading everyone's mail... except it's still all postcards and unenveloped stuff. And he still didn't do anything illegal, since email isn't protected under the second ammendment or the laws preventing post from being opened is it? Before anyone bitches about violation of privacy of emails, they should encrypt their mail. This applies especially to companies, who are in the perfect position to make it easy, convenient and MANDATORY for clients to use public key encrypted email.

Re:Scummy (0)

Anonymous Coward | more than 2 years ago | (#40436823)

I know that in the UK it is technically a criminal offence to open someone else's post, even if it's been misaddressed to your house, if you know it isn't yours. (ref: Postal Services Act 2000 Section 84).

Email is a little different in that it can't be delivered without being "opened", so it's more akin a postcard, and as far as I can see there's noting to stop you from reading a misaddressed postcard that lands on your doormat. If anyone is stupid enough to send private and confidential info on a postcard, to the wrong address, then they are negligent and you're in the clear for having read it, but I'm not sure if it would be legal to, say, pin it to the parish noticeboard.

Having said that, even if him receiving the emails is legal, and his publishing of the emails may have been legal, extortion is always illegal. This guy acted in bad faith, set out to intercept someone's mail and then demanded money with menaces, and he should face severe consequences for being such a jerk.

Doesn't intent matter... (1)

jopsen (885607) | more than 2 years ago | (#40431961)

I agree if he bought the domains legally and mail was sent to those he didn't unlawful interception anything since it was sent to a domain he owned.

He bought the domains with the primary aim of intercepting mail that wasn't his... Same as if I changed the number on my house and setup a mail box that looks like my neighbors.

I'm sure this angle can be argued in the court. Whether it holds I don't know. I kind of hope it does, there's a reason why judges are human, the world made of ones and zeros. Regardless of who much we all wish we were was Neo :)

Re:Doesn't intent matter... (4, Insightful)

Anonymous Coward | more than 2 years ago | (#40432157)

This is one in a class of issues where the conclusion that makes perfect sense to an (intelligent and educated) technician is directly opposed to the conclusion that makes perfect sense to an (intelligent and educated) non-technician.

The technician sees a system with clear and unambiguous rules. You get an address, you send to an address, stuff goes to that address. Breaking THOSE rules seems obviously punishable to a technician (like making stuff go to a different address than the one to which it was sent, for example), but when following those rules (to the letter) all is fair. If you send to the wrong address (which nobody forced or tricked you into doing), that is your own fault, all responsibility is on you.

The non-technician sees the deliberate and conscious setting of a trap that will result in the receipt of communication that was not intended for you. Furthermore, if the trap had not been set, those communications would have harmlessly bounced-back and gone to nobody. The setting of the trap created a hole that was not there before, because now that the trap is set the communications will seem to be delivered when in fact they were "intercepted." The technical details of how this trap was set are completely irrelevant. The fact that someone else (an actual criminal) could easily have set the same trap and spied on you without your knowledge indefinitely is also completely irrelevant.

Generally speaking, the non-technical position is the one that wins whenever such issues go to trial.

Re:Doesn't intent matter... (1)

Nofsck Ingcloo (145724) | more than 2 years ago | (#40433535)

Perhaps we should redirect our discussion from the mis-spelled domian name to the user name. The culprit either deliberately set up one or more specific user names, or set up his mail system to accept any user name that was presented, a-la mailinator. In either case it seems to me that his actions can be seen as deliberately trapping (and opening) communications not intended for him. If he set up specific mail boxes such as joe.smith@hisdomain then perhaps some sort of impersonation charge could be brought.

Re:Doesn't intent matter... (0)

Anonymous Coward | more than 2 years ago | (#40436389)

Change "EMail addres" to "bank-account number" and see if your stance still holds.

In my country someone can put money into my account, but again have it removed from there without me having any say in it. Why? Because a mistake was made.

In short: That somebody made a mistake does not automatically mean that whomever gets his hands on it is automatically the owner.

Having said that, I think that that weasel^w"security person" surely acted in bad faith.

Re:Doesn't intent matter... (0)

Anonymous Coward | more than 2 years ago | (#40441479)

As someone in the Computer Security field I see what he did as blatantly wrong. Typo squatting is done by people with malicious intent. And, doing an impromptu security evaluation of someone else's system and then expecting them to pay you for the results is also only done by the malicious.

Re:Doesn't intent matter... (1)

Golddess (1361003) | more than 2 years ago | (#40432209)

He bought the domains with the primary aim of receiving mail that wasn't his.

FTFY. The problem with calling it "intercepting" is that it implies that the email would somehow magically make its way to the intended destination if the typoed domain wasn't registered. Now I could be wrong, but I'm fairly certain that an email sent to bob@gooooogle.com would not ever make it to bob@google.com, even if gooooogle.com was unregistered. Such an email would simply go no where.

Re:Doesn't intent matter... (1)

fnj (64210) | more than 2 years ago | (#40432411)

If you're going to say "FTFY", make sure your re-writing at least makes logical sense. Otherwise you run the risk of looking dumb when you're really not.

The primary aim was NEITHER "intercepting mail that wasn't his", as originally written, NOR "receiving mail that wasn't his", as you put it. The problem isn't with the choice of verb (intercepting or receiving). The problem is with the qualifier "that wasn't his". He duly registered a domain and set himself up to receive email sent to that domain; then some email WAS sent to that domain - HIS domain, NOT the domain which is spelled SIMILARLY. By ANY reasonable definition, that was HIS email he was reading. Whoever the sender INTENDED to address and send it to is beside the point; the sender IN FACT addressed and sent it to HIM.

You would have to completely rewrite the sentence to something like "the primary aim was to receive email which the sender BELIEVED he was sending to the other guy". Now we'd be dealing with intent on both ends, as well as presumption, but law cases do that all the time. Sounds like a simple case of fraud and extortion to me. Dressing it up as e-anything is just silly.

Re:Doesn't intent matter... (1)

networkBoy (774728) | more than 2 years ago | (#40434199)

Perhaps there is an opportunity to add "on the Internet" to a criminal activity and get a patent. Then you as an otherwise uninterested third party could join the fray with a patent suit brought in East Texas...

Re:Doesn't intent matter... (2)

Larryish (1215510) | more than 2 years ago | (#40435005)

The Canadian's biggest problem can be summed up as follows:

GoDaddy.Com

What sort of "security researcher" uses GoDaddy on purpose?

I mean, seriously?

Re:Doesn't intent matter... (0)

Anonymous Coward | more than 2 years ago | (#40432425)

He bought the domains with the primary aim of receiving mail that wasn't his.

FTFY. The problem with calling it "intercepting" is that it implies that the email would somehow magically make its way to the intended destination if the typoed domain wasn't registered. Now I could be wrong, but I'm fairly certain that an email sent to bob@gooooogle.com would not ever make it to bob@google.com, even if gooooogle.com was unregistered. Such an email would simply go no where.

An incorrectly addressed mail will be bounced back as undeliverable. This guy set up domains pretending to be someone else so that instead of bouncing back an undeliverable, he'll get them instead.

If I rented an office at 555 W Main St. and put a drop box out front that said "Tax Collecter" when the real "Tax Collector" was at 555 E Main St. You can guarantee that I'd be arrested. It doesn't become any more valid to do the same thing online.

It doesn't really matter how amateurish it is. It is still fraud.

Re:Doesn't intent matter... (1)

networkBoy (774728) | more than 2 years ago | (#40434215)

Fraud, yes. Interception of communication? I don't think so.
Though from the other perspective:
It is interception, given that there would have been a bounce of the e-mail had he not 'intercepted' it...

I'm just going to get some popcorn and watch the show.
-nB

Re:Doesn't intent matter... (1)

LordCrank (74800) | more than 2 years ago | (#40433033)

By registering these domains he prevented the senders from getting a message that the url in the address they were sending to did not exist. Presumably he also made it so whatever catch all for the typoed domains wouldn't report an error. If he hadn't set up these domains then the senders would have received automated messages informing them their emails weren't delivered. While he didn't violate the law in stopping these emails from bouncing with errors, his behavior certainly wasn't ethical and did disrupt the intended communications.

Re:Doesn't intent matter... (1)

Golddess (1361003) | more than 2 years ago | (#40438339)

I was not aware that any sort of bounce message would have been sent back to the sender in the event that the domain was unregistered. Thanks for informing me about that.

Re:Doesn't intent matter... (1)

similar_name (1164087) | more than 2 years ago | (#40434937)

FWIW gooooogle.com redirects to digforgold.com.

Re:Scummy (1)

grahammm (9083) | more than 2 years ago | (#40435567)

I agree if he bought the domains legally and mail was sent to those he didn't unlawful interception anything since it was sent to a domain he owned. It would be like a letter from someone else ending up in my mail box and cause i took it outta my mail box its tampering with the mail.

And not only ending up in your mail box, but also having your name and address on the envelope. ie It was correctly delivered according to the sender's instructions.

Re:Scummy (1)

CycleMan (638982) | more than 2 years ago | (#40435677)

And not only ending up in your mail box, but also having your name and address on the envelope. ie It was correctly delivered according to the sender's instructions.

IANAL and other disclaimers. But his name was not on the envelope. He caught every piece of mail that came to his domain. Here's a more true parallel: I bought a house, which has a defined postal address. Other people used to live here and so mail comes to their name at this address. Do I get to open their mail? No I sure as hell do not. If they address it to "Occupant" or to "Person XYZ or Current Resident" then I am entitled to access it. Otherwise, since the sellers didn't give me a good forwarding address, it's "Return to sender -- addressee unknown." Since he admitted he intended to create a confusing situation, the only mail he should have accessed was anything to wesley.kenzie@lockheedmarton.com or securikai@lockheedmarton.com, or other names such as he regularly went by -- and not robert.j.stevens@lockheedmarton.com or nolan.d.archibald@lockheedmartun.com.

Re:Scummy (2)

Tastecicles (1153671) | more than 2 years ago | (#40431365)

if they're making a federal case out of it (pardon the pun), then intent is at the very heart of the matter. It can be proved via cc records and details in the ICANN registry that he bought the domains, so that's not even on the table for discussion. It's for the Feds to prove that his intent was to extort money from "rightful owners" of the domains. I put that in quotes because they missed the boat - he bought the domains, he rightfully owns them.

Re:Scummy (1, Interesting)

suutar (1860506) | more than 2 years ago | (#40431441)

Lockheed-Martin's UDRP proceedings show a precedent (I don't know how strong; it was arbitrated since Kenzie registered the relevant sites through GoDaddy) for considering this behavior to be "operating in bad faith".

Re:Scummy (5, Informative)

interkin3tic (1469267) | more than 2 years ago | (#40431583)

I'm no lawyer, so I'm not talking about legal standards, but the last link in the summary mentions that at least some other similar schemes this guy pulled off, he essentially threatened to post the e-mail contents, which he said were sensitive, on his blog for all to read. Which to me is a pretty clear indication he did intend to extort.

It also points out that this is a scheme that is at least 14 years old, hard to claim that he bought all these domains without realizing they were very close to other domains.

Again I'll point out that I'm not a lawyer, so I'm talking common sense standards here, not legal standards, which usually make no sense to me.

Re:Scummy (0)

Anonymous Coward | more than 2 years ago | (#40433149)

feel free to visit his website http://www.securikai.com/ for more details on his 'vulnerability'. Doing this is one thing, doing it and sending 5 five figure demands for security consulting to solve the issue is another.

I love the spin in the title... (5, Insightful)

CajunArson (465943) | more than 2 years ago | (#40431301)

The title makes it sound like this guy is a legitimate academic who just wants to cure cancer for the benefit of all WomynKind is being harrassed by whatever evil megacorp is at the top of the 2 minutes of hate list today on Slashdot. Then you figure out that this guy is just another scumbag fraudster and he doesn't sound like such an innocent "researcher" at all.

How about a "bank security researcher" who does vital Nobel prize winning research about the response time of police and ambulances when he shoots up a bank during a robbery? I'm sure everyone on this site wants there to be more "research" to make things interesting.

Re:I love the spin in the title... (3, Funny)

TemperedAlchemist (2045966) | more than 2 years ago | (#40431417)

That's the problem with you softies, always getting in the way of good science. I bet you work at Black Mesa.

Now if you excuse me, I have some banks to go rob. For science.

Re:I love the spin in the title... (1)

evanism (600676) | more than 2 years ago | (#40434445)

Aperture Science, for REAL science! Not your phony universe hole tearing girly science!

This is Cave Johnson, for science!

Re:I love the spin in the title... (2)

dAzED1 (33635) | more than 2 years ago | (#40431471)

agreed. If the argument is that anyone trying to figure out and/or exploit security flaws is a "security researcher" then someone busting your car window to steal the iphone you left on the center console is also a "security researcher." Is subby a similar type of "researcher," thus the sympathy/misnomer?

Re:I love the spin in the title... (0)

Anonymous Coward | more than 2 years ago | (#40431681)

Then you figure out that this guy is just another scumbag fraudster and he doesn't sound like such an innocent "researcher" at all.

FT3A (from the 3rd article):

In addition, Kenzie's technical prowess is certainly questionable. Not only did he neglect to research the "blackhole email vulnerability", he has demonstrated that he doesn't fully understand the basics of the Simple Mail Transfer Protocol (SMTP) and the clients/servers that implement it. Failing to understand the basic concepts make it difficult to believe he has any mastery of the more advanced concepts that make up network security.

Perhaps the most surprising aspect to Kenzie's actions, is that he is a contributor and advocate of TOR, self-described as "free software and an open network that helps you defend against a form of network surveillance that threatens personal freedom and privacy". Resorting to extortion to make money while claiming his actions are done to "raise awareness of security issues" is an insult to the individuals who actually raise security awareness through legitimate security research.

I'm confused (5, Funny)

ArhcAngel (247594) | more than 2 years ago | (#40431309)

The summary didn't tell me who to root for so I am completely confused.

Re:I'm confused (2)

NettiWelho (1147351) | more than 2 years ago | (#40431357)

Sometimes evil fights evil.

Re:I'm confused (0)

Anonymous Coward | more than 2 years ago | (#40431587)

So how are you going to vote?

Re:I'm confused (1)

Honclfibr (202246) | more than 2 years ago | (#40431781)

The summary didn't tell me who to root for so I am completely confused.

This is one of those rare events when you are actually rooting for the lawyers.

Re:I'm confused (2)

WillDraven (760005) | more than 2 years ago | (#40431825)

Better yet, root for a meteor to hit the courtroom when all concerned parties are in it.

Re:I'm confused (0)

Anonymous Coward | more than 2 years ago | (#40436713)

But what about the judge? He's just an innocent bystander.

Won't somebody think of the judges?!

Re:I'm confused (0)

Anonymous Coward | more than 2 years ago | (#40436819)

I am not too sure about this. If the guy was successfully sued wouldn't that set a very dangerous precedence for future misaddressed email cases?

Doing the same thing to the law firm after you? (0)

Anonymous Coward | more than 2 years ago | (#40431399)

Doing the same thing to the law firm who is going after you? He must either have coconut sized testicles or more probable is just a complete nutter -

"However, the Gioconda Law Group alleged that according to recent discoveries, it had found that Kenzie had registered an internet domain name GiocondoLaw.com as a misspelling of GiacondaLaw.com. Then Kenzie had proceeded to create fake e-mail accounts to intentionally intercept private e-mails addressed to the firm’s lawyers and staff."

That's a sure way to get the law firm to go above and beyond in tearing you a new one.

Is it really hard to find nerd news? (0)

Anonymous Coward | more than 2 years ago | (#40431401)

This is not. Nerd news is hardware, odd software, and if you have to stretch it, naked chicks.

Hardly unlawful interception (2, Insightful)

houghi (78078) | more than 2 years ago | (#40431459)

He own the domain. People send the mail to him. So I hope that they trow that part out. The receiver can not be responsible, the sender should be.

This does not mean that I agree with what he does. He did a lot things wrong, but unlawful interception isn't one of them.

If they will allow it, whenever you get a mail by mistake, YOU will be responsible. For now the stoopid signatures that legal adds to your external mail mean nothing. For now!

I disagree. (5, Insightful)

khasim (1285) | more than 2 years ago | (#40431517)

He specifically took action to create a destination for the incorrectly addressed emails.

If he had not done that then the emails would have been rejected by the sender's system and kicked back to the sender.

And the way he did that was to register misspellings of legitimate email domains.

He is responsible because he chose to do that.

Re:I disagree. (1)

sixsixtysix (1110135) | more than 2 years ago | (#40431591)

then any ad-farm sites that rely on misspellings should be sued for depriving the correctly spelled url's ad revenue?

Re:I disagree. (1)

DustyShadow (691635) | more than 2 years ago | (#40431665)

Yes. But it is often not worth the time or money.

And how about Asian sound-alikes? (1)

popo (107611) | more than 2 years ago | (#40431905)

And half the electronics brands in Japan from the 1960's should be sued for trying to sound like Western brands?

True story for those who don't know it: Ricoh is a homonym for Leica in Japanese.

There are hundreds of others..

Re:And how about Asian sound-alikes? (0)

Anonymous Coward | more than 2 years ago | (#40436739)

And half the electronics brands in Japan from the 1960's should be sued for trying to sound like Western brands?

Pfft. I know a genuine Panaphonics when I see it.

Re:I disagree. (1)

longk (2637033) | more than 2 years ago | (#40433795)

Yeah, because slasdot.org would never use a info@ e-mail address if slashdot.org was already using it.

Re:I disagree. (1)

oxdas (2447598) | more than 2 years ago | (#40434581)

The question for me is should it be illegal to create a domain with a similar name to an active domain and setup an email server with similar names? I don't see anything wrong with this. There could legitimately be two companies with similar names. If the companies received each other's emails, would a crime or tort have been committed?

This seems to me to be one of those cases where the wrong laws are being applied. He used legitimate tools to further a criminal enterprise. In my opinion, he should be charged for extortion, unjust enrichment, or conversion, http://en.wikipedia.or/wiki/Conversion_(law) [wikipedia.or] , but not for illegally intercepting communications.

Re:I disagree. (1)

bloodhawk (813939) | more than 2 years ago | (#40436799)

I don't think this is a case of the wrong laws being applied at all and I don't think this even raises issues with similar named companies. Like much of the law the intent of the persons actions need to be taken into account, this scumbag is intentionally registering similar names in order to intercept incorrectly spelled addresses, hence his goal was to intercept emails, the means by which he did it is secondary.

Re:I disagree. (1)

jcdill (6422) | more than 2 years ago | (#40435553)

There are legitimate reasons to setup a mail server that accepts mail for *@example.com.

Re:Hardly unlawful interception (2)

gnasher719 (869701) | more than 2 years ago | (#40431973)

He own the domain. People send the mail to him. So I hope that they trow that part out. The receiver can not be responsible, the sender should be.

No, people didn't send mail to him. They sent mail to the intended recipient, something went wrong on the way, and he set up his domain intentionally to benefit of these mistakes. What went wrong was the user making a mistake while typing the email address; that doesn't change who the intended recipient was, and it doesn't change that the mail was intercepted intentionally.

Re:Hardly unlawful interception (1)

Gr8Apes (679165) | more than 2 years ago | (#40434925)

Sorry. Send a postcard, expect it to get read. Be careless enough to send it to the wrong person....It's irrelevant as to why he set up the domains, or that he receives incorrectly addressed postcards. He's not advertising, or anything else. Is he scum? Perhaps. Is he doing something illegal? No.

Re:Hardly unlawful interception (0)

Anonymous Coward | more than 2 years ago | (#40436791)

No, people didn't send mail to him. They sent mail to the intended recipient, something went wrong on the way, and he set up his domain intentionally to benefit of these mistakes. What went wrong was the user making a mistake while typing the email address; that doesn't change who the intended recipient was, and it doesn't change that the mail was intercepted intentionally.

So if I intended to send an email to you, but made a mistake while typing the address, so it ended up at obama@whitehouse.gov, I can sue the Whitehouse, if they read that email?

How is the mail-server going to know who the intended recipient is? According to you, it can't trust the "RCPT TO:" command.
Can the mail server return a "MIND READ" result code, I don't know about? What RFC is that?

Re:Hardly unlawful interception (1)

DroolTwist (1357725) | more than 2 years ago | (#40438697)

No, people didn't send mail to him. They sent mail to the intended recipient, something went wrong on the way, and he set up his domain intentionally to benefit of these mistakes. What went wrong was the user making a mistake while typing the email address; that doesn't change who the intended recipient was, and it doesn't change that the mail was intercepted intentionally.

So if I intended to send an email to you, but made a mistake while typing the address, so it ended up at obama@whitehouse.gov, I can sue the Whitehouse, if they read that email?

How is the mail-server going to know who the intended recipient is? According to you, it can't trust the "RCPT TO:" command. Can the mail server return a "MIND READ" result code, I don't know about? What RFC is that?

Can you sue them if they read it? Probably not. Can you sue them if they try to extort money out of you for not publishing it to the world? Yes. (Well, your example is the U.S. government, which means they'd have to allow you to sue them, but the point stands.)

Re:Hardly unlawful interception (0)

Anonymous Coward | more than 2 years ago | (#40441565)

Extortion is illegal. He may not have performed unlawful interception, but the extortion was still illegal.

Use OpenPGP to solve this problem (5, Informative)

magic maverick (2615475) | more than 2 years ago | (#40431483)

For those of you, like me, who weren't sure what UDRP meant, it means Uniform Domain-Name Dispute-Resolution Policy [wikipedia.org] and ICANN has a page on it [icann.org] .

Anyway, this indicates a major problem with the domain name system. One which could be solved by a simple, careful and widespread application of OpenPGP [faqs.org] . That is, if everyone encrypted emails for recipients, people like this would not be able to read them.

Also, if I were this "security researcher" I would set up legitmate looking websites at the various domains. Perhaps giocondolaw.com could be a website for Grand International Operations. ConDoLaw., a website trying to put together a convention about law for lay peoples, run by GIO, an organisation setup by our hero... Or something. You know, it doesn't even have to be clever, just appear to actually have a real use for the domain name. In the case of the lockheedmartun.com website well, maybe a shell company called Lockhe, which makes an editor (ed) called Martun, Lockhe Ed Martun. Perhaps repackage and sell (for only $5000 a seat, this wonderful software, complete with source code, and what we won't tell you unless you buy it, is that it's just GNU EMACS or perhaps VIM (depending on what you hate the least).

^^^^^^^^ This (0)

Anonymous Coward | more than 2 years ago | (#40432339)

N/T

Re:Use OpenPGP to solve this problem (0)

Anonymous Coward | more than 2 years ago | (#40433815)

Why do you even need PGP here? Messages aren't being MITM'd, they're just getting misrouted because the user typo'd the destination address. You could fix it just by using a proper email address book (which you need for OpenPGP too... unless you're good at memorizing 300+ digit numbers).

Re:Use OpenPGP to solve this problem (0)

Anonymous Coward | more than 2 years ago | (#40436841)

Anyway, this indicates a major problem with the domain name system. One which could be solved by a simple, careful and widespread application of OpenPGP [faqs.org] . That is, if everyone encrypted emails for recipients, people like this would not be able to read them.

How would OpenPGP know which recipient to encrypt for?
As far as I know, most mail-clients with PGP/GPG-support, use the recipient address when looking up the public key.

Re:Use OpenPGP to solve this problem (0)

Anonymous Coward | more than 2 years ago | (#40437073)

In the case of the lockheedmartun.com website well, maybe a shell company called Lockhe, which makes an editor (ed) called Martun, Lockhe Ed Martun. Perhaps repackage and sell (for only $5000 a seat, this wonderful software, complete with source code, and what we won't tell you unless you buy it, is that it's just GNU EMACS or perhaps VIM (depending on what you hate the least).

Isn't that what Escape-Meta-Alt-Ctrl-Fraud is for?

Agressively stupid (2)

DarkOx (621550) | more than 2 years ago | (#40431495)

Kenzie clearly does not understand how e-mail works. What he is doing is clearly an attempt to extort money for owners of legitimate domains. I don't know if he is doing anything that will pass muster in court of law but he is obviously stupid, a fraud, and prick.

Still though he does even though he does sorta point out a weakness in mail even if his solutions are off base. The correct way to handle this is as follows:

1. Sign all mail, and really try to convince recipients to validate signatures. This will give you integrity and irrefutably when sending; at least if you tell all your recipients, if its not signed to assume its a fraud.

2. Use SFP this will allow recipients to know mail really did come from your domain even if they can't check signatures. It will also help guard against innocent miss configured sending clients and servers, on similar but legitimate domains. It will also keep your domain off RBLs if someone tries false flag spamming to get your domain listed.

3. Encrypt anything you send if any of it is remotely confidential. Not only will this offer protection from interception, it will also cover you in the case you send to a black hole domain like Kenzie likes to set up by mistake; he won't have the ability to decrypt.

If we did these things routinely the over all security picture of Internet E-mail would be enhanced to the point that would be "good enough" to thwart most serious threats. Kenzie is dipshit but he is correct about the weakness of e-mail. Perhaps this security researcher should do a little more research and a little less "consulting" until he learns a thing or two. He is just best ignored.

Re:Agressively stupid (2)

viperidaenz (2515578) | more than 2 years ago | (#40431775)

But the law firm couldn't have done any of that to fix the "problem". The problem is their clients are typing their email address wrong. Until the whole world follows your 3 rules for email security it won't so much good.

Immoral, but shouldn't be illegal (3, Insightful)

Hentes (2461350) | more than 2 years ago | (#40431511)

What this guy did is certainly not ethical but shouldn't be illegal. You shouldn't have a right to every domain similar to one that you have bought just because you are a big corporation. If a company wants to own all variations of a domain, fucking pay for all of them.

Re:Immoral, but shouldn't be illegal (5, Insightful)

TuringCheck (1989202) | more than 2 years ago | (#40431575)

The extortion part is however illegal. It also proves the domain registration was done with intention to commit an illegal activity.
Hope this guy rots in jail - there are too many "security researchers" in extortion business of a kind or another.

Re:Immoral, but shouldn't be illegal (1)

Hentes (2461350) | more than 2 years ago | (#40431779)

True, but that happens to be the only thing they didn't sue him for.

Re:Immoral, but shouldn't be illegal (0)

Anonymous Coward | more than 2 years ago | (#40434363)

I'm not sure they didn't file a criminal complaint, but chances are they found it easier to establish the other causes.

What this guy did was deliberate and conscious, not just inadvertently claiming it, but intentionally choosing a course of action.

I'd actually say with the multiplicity of domains and the possibility of variants being so vast as to be endless, that asking them to pay for all of them is a fool's game. It'd be like asking me to check to make sure my mail didn't go in somebody else's box...but a thousand times more like since all the mailboxes would be lined up in an identical stack.

So no, I don't feel the burden should be on the victim to the extent you suggest.

Re:Immoral, but shouldn't be illegal (0)

Anonymous Coward | more than 2 years ago | (#40434467)

Re:Immoral, but shouldn't be illegal (0)

Anonymous Coward | more than 2 years ago | (#40435763)

Yes, and, sorry but did you read it? The charges clearly state claims bases on and arising out of "the extortion part." Deceptive Acts & Practices does require a degree of "mens rea" (state of intent/knowledge/mind) of a level of knowledge (that the setting up of a typosquat would likely result in... or that by typosquatting he would be able to...).

This hasn't been mentioned because no one here is a lawyer, and generally they are despised: but consider in addition that communications between a client & attorney are likely to be of the MOST sensitive nature.

Would you feel so lenient if his confession booth looked just like a real one but had a slightly different symbol on it's door?

Confidentially is established by two things: contract and law. Those level of confidentiality established by law are reflective of the most critical, crucial, communications necessary to permit an individual an adequate degree of privacy and participation in the legal, social, and political climate of the time.

Invading such a sanctum, intentional interference with known privileged and confidential communications, should be subject to far greater charges.

Re:Immoral, but shouldn't be illegal (0)

Anonymous Coward | more than 2 years ago | (#40431605)

I agree with you completely, right up to the point where he used the information in those emails to attempt to extort the firm. Extortion is illegal, and trying to extort a law firm is just plain stupid. It's literally a business FULL of lawyers who have nothing better to do than sue you at that point. Kinda like walking up and slapping a wasp nest.

Why can't everyone just follow Wheeton Law?

Cybersquatting Douche vs IP Laywer Douce (0)

Anonymous Coward | more than 2 years ago | (#40431597)

It sucks when you can't pick a side because you're screwed either way.

TLDs (1)

Anonymous Coward | more than 2 years ago | (#40431631)

The new TLDs could potentially make this much worse, for example, if someone has applied for .cmo and/org .con which are two easy typos of .com, it wouldn't take much to set up a wildcard redirect to the correct .com site, but also log all the stuff coming through.
Or even iframe it with google ads or something.

Re:TLDs (1)

Kalriath (849904) | more than 2 years ago | (#40433269)

Applying for a TLD costs almost a quarter of a million dollars. Your theorised situation is implausible at best.

What a retard (1)

viperidaenz (2515578) | more than 2 years ago | (#40431751)

Who are the most sue-happy people on earth? IP Lawyers. If you so much as sneeze in their direction you'll get sued.

He's No Security Researcher (5, Insightful)

thoughtcancer (465644) | more than 2 years ago | (#40431857)

First, he's not a security researcher; calling him that gives him an air of credibility he DOES NOT deserve. He's a sleazy typosquatter giving himself the title of "researcher" to gain a veneer of respectability. I am the risk manager for an organization hit by this guy; his intent is made perfectly clear in the extortion snail-mail he sends his victims: I have your mail, pay me what I ask or I go public. He might wrap it up in a "i'm just an unsolicited security researcher trying to help you", but any attempts to discuss the "vulnerability" with him (the "vulnerability" being that my company didn't register every possible misspelling of our trademarks across all possible TLD's), he will refuse to do so until we signed a consulting contract with him.

Complete scumbag who abuses the system for his own benefit. He started this scam going after smaller companies with no InfoSec staff or Risk Managers, offering to settle for $295; once that worked a couple of times, he moved up to mid-sized companies, provincial government assets, international law firms, banks, and finally the big boys like Lockheed Martin. While he may have succeeded on some of the smaller companies, every bigger organization saw through his scam and either passively ignored his demands or is suing him into oblivion.

He is not welcome in the information security or information risk management communities as long as persists in this behaviour. HDMoore at Attrition.org has has been acting as a clearinghouse for this dude's activities; one read-through and you'll understand that Kenzie has unclean hands.

This guy is a Sith and does not deserve your empathy. When justice is meted out, he will never work in IT again.

Re:He's No Security Researcher (1)

thoughtcancer (465644) | more than 2 years ago | (#40432167)

Sorry to self-reply, but I misattributed.

HDMoore = Jericho

Sorry for the brainfart.

Re:He's No Security Researcher (2)

whitesea (1811570) | more than 2 years ago | (#40433909)

Please, mod the parent up. There is so much speculation in this thread; we can all benefit from actual facts of this story.

Re:He's No Security Researcher (-1)

Anonymous Coward | more than 2 years ago | (#40436157)

Facts? I saw no facts. All I saw was someone with a highly emotional response to a situation with no proof of anything at all. Par for slashdot but poor none the less.

Major NY IP Law firm? (0)

Anonymous Coward | more than 2 years ago | (#40432151)

So now a 5 person firm is major. Lol.

Presidential Commendation (0)

Anonymous Coward | more than 2 years ago | (#40432351)

As douchbag as this move is he will probably receive a presidential commendation for his entrepreneurial ingenuity. Just like GE was commended for skipping out on taxes, as "this is how you get ahead in business."

made me think of related/opposite case: Nissan.com (1)

Anonymous Coward | more than 2 years ago | (#40432493)

Good read from UDRP on Lockheed Martin case, format was easy to read and I understood the claims, etc. w/o having to read for hours and click through a bunch of sites. Hmmm, the courts were able to read "his intent" when he registered the names... ;)

This reminded of a related, but opposite case, individual has name first but corp. wants it: Mr. Nissan's battle from years ago. I clicked on his site today to see how he was faring, and was surprised to find that what the Nissan Motor Corp. lawyers started in 1999 is still going and they are still "on the case"! The read at Mr. Nissan's website was quite educational, naturally at www.nissan.com *Good grief* up and down through the courts, even up to Supreme Court after it started heading towards Free Speech, etc. and then back down... wow!

Re:made me think of related/opposite case: Nissan. (1)

Kalriath (849904) | more than 2 years ago | (#40433291)

After looking at Nissan.com though, I'd say neither party should get to have the domain. Nissan Motors because they're being douches, and Nissan Computers for having the worst designers ever.

Five figure consulting fee (0)

Anonymous Coward | more than 2 years ago | (#40433069)

You're missing the point. He cybersquatted, then sent letters to the companies saying "for $25,000 I'll fix your email security issue"

The term is hacker (0)

Anonymous Coward | more than 2 years ago | (#40433437)

Ok, so, first the term hacker gets jacked by the media to describe someone doing bad things... Now "security researcher" is too? This guy stole companies' email and blackmailed them for five figure amounts... He is not a security researcher, he is a blackhat.

"A major New York intellectual property lawfirm"? (1)

Anonymous Coward | more than 2 years ago | (#40433441)

Uh, can someone explain to me how a firm with all of 4 attorneys counts as "A major New York intellectual property lawfirm"?

I'm aware of a few major IP-only law firms, and they are several hundred attorneys apiece. Good or not, I've never heard of these guys before, and likely will never hear of them again.

Re:"A major New York intellectual property lawfirm (0)

Anonymous Coward | more than 2 years ago | (#40434271)

I think they're a small firm who's lawyers seem pretty well known, by a look at their cases and press mentions online

Kenzie's Conduct IS Illegal (2)

TheLimey001 (2669309) | more than 2 years ago | (#40433671)

I took a closer look at the actual complaint in the case itself and the UDRP decision in the Lockheed case. Here is why I think Kenzie's conduct IS going to be found illegal under U.S. laws here: 1. Intentional Cybersquatting: Cybersquatting is illegal under US federal law and is punishable by a fine up to $100,000.00. To prove Kenzie is guilty of cybersquatting, the law firm only needs to prove that Kenzie adopted the confusingly similar domain name intentionally and in bad faith, that is, without a bona fide or non-commercial reason. In the prior UDRP proceeding, which is binding on Kenzie, Kenzie's identical conduct against Lockheed Martin was found to be bad faith cybersquatting. By extension, Kenzie is likely to be found guilty here and is going to have a tough time convincing a judge and jury that the Lockheed panel was wrong as well. 2. Intentional interception of private electronic communications: Seems to me that Kenzie intended to do exactly this, and is just trying to justify it in the name of conducting unauthorized and spurious "research." In the Lockheed UDRP case, he as much as admitted that he intentionally intercepted e-mails intended for Lockheed, but that his only defense was that it was done in the name of bona fide research to benefit Lockheed, even though they didn't know about it until he was confronted with the UDRP. The panel rejected this defense, finding that Kenzie simply wasn't authorized to conduct this "research," but was merely trying to line his own pockets by getting a consulting fee out of it. Seems to me that Kenzie is going to lose this one, too.

error in summary (2)

Alimony Pakhdan (1855364) | more than 2 years ago | (#40433683)

Why do we continue to call these sorts of clowns "researchers"?

no sweat off my back (-1, Offtopic)

PopeRatzo (965947) | more than 2 years ago | (#40434131)

I don't really care if Microsoft screws up or ends up looking foolish or fails utterly at their launch of whatever this "surface" thing is.

Somehow, I'm a little bit comforted by a big tech company stepping all over its own dick when trying to come out with a new product.

My future is not dependent on Microsoft's success because I don't identify with Microsoft. I don't have a microsoft logo tattooed to my behind, nor do I stand in line to buy the latest microsoft product. If their product ends up being any good, and the price is right, I might buy it. If not, no. I am not on their team and I don't envision myself as the fresh-faced actor in their commercials.

Like I said, I'm a little comforted by their looking silly with their efforts at this rollout. I prefer having those products judged on their merits instead of their cachet or what engadget says about them.

Unfortunately, I doubt their marketing failure is going to dissuade tech companies from their astroturfing efforts. Maybe consumers will get sophisticated enough to fight off these campaigns, but probably not. As a species we seem to like to pick sides and fly flags, much to our own detriment.

Re:no sweat off my back (0)

Anonymous Coward | more than 2 years ago | (#40434761)

I don't really care if Microsoft screws up or ends up looking foolish or fails utterly at their launch of whatever this "surface" thing is.

Somehow, I'm a little bit comforted by a big tech company stepping all over its own dick when trying to come out with a new product.

My future is not dependent on Microsoft's success because I don't identify with Microsoft. I don't have a microsoft logo tattooed to my behind, nor do I stand in line to buy the latest microsoft product. If their product ends up being any good, and the price is right, I might buy it. If not, no. I am not on their team and I don't envision myself as the fresh-faced actor in their commercials.

Like I said, I'm a little comforted by their looking silly with their efforts at this rollout. I prefer having those products judged on their merits instead of their cachet or what engadget says about them.

Unfortunately, I doubt their marketing failure is going to dissuade tech companies from their astroturfing efforts. Maybe consumers will get sophisticated enough to fight off these campaigns, but probably not. As a species we seem to like to pick sides and fly flags, much to our own detriment.

wat

use encryption (1)

Tom (822) | more than 2 years ago | (#40435881)

He's a scumbag alright, but what he does isn't illegal. Sure the mail might have been intended for someone else, but it was sent to him. If the courts support the bullshit "if you are not the intended recipient..." boilerplates of e-mails, I have a couple things I'd like to write down there. The keyword being intended.

That said, I am a security researcher and consultant. Here's a free bit of security advise: The proper answer to making sure your communication can not be read by someone who may intercept it through whatever means, including typos in the address, is to use encryption. Period.

IMHO, if you're a law firm or someone else with a need for confidentiality, you must have encryption available and remind your clients of it. Since they are the paying party, if they don't want to use encryption then so be it, but if you don't offer the option, you are acting negligent.

Re:use encryption (0)

Anonymous Coward | more than 2 years ago | (#40436361)

Actually, there is a simpler answer. It'll take another few weeks, and then the whole problem of securing email to clients will be a lot easier to manage.

As long as you're dealing with the PATRIOT Act you will *always* have a disclosure risk, because the controls on abuse of the PATRIOT Act is, umm, let's say "imperfect" (that's a tad understated, but it'll do).

In addition, you try and get a client to install crypto to a point that it is actually secure for use - if you recommended that approach you may get a problem if the client screwed up, or you need to offer them help - you see how that problem escalates?

There's a Swiss company I know that is working on simple security - it starts from the legal side of the equation because they are linked to a privacy and reputation management setup, and I know they're about ready.

BTW, I heard one Data Protection officer state that email was not covered under privacy laws, but it felt like an excuse not to have to take on cases where access was breached.

Last but not least, disclaimers have nil value as you do not have a contract with the recipient. However, what you *can* do is add a copyright notice - ironically, we have to thank the RIAA and MPAA for that being strong in court..

Re:use encryption (1)

Tom (822) | more than 2 years ago | (#40436567)

In addition, you try and get a client to install crypto to a point that it is actually secure for use - if you recommended that approach you may get a problem if the client screwed up, or you need to offer them help - you see how that problem escalates?

I recommend no such thing. If your client doesn't want crypto - his call. If your client doesn't know how to use crypto - not your problem. There are people like me who can help your client get it up and running.

The point is that you as a regular party in confidential communications ought to support encryption and mention to your clients that this is the only way to ensure confidentiality. One or two sentences are enough. Most law firms already have a full page of disclaimers, footers and other crap in their e-mails, something along the lines of "We support encrypted email via GPG and S/MIME." could be enough.

I maintain that if you don't at least offer the option to your clients, you act negligent.

There's a Swiss company I know that is working on simple security - it starts from the legal side of the equation because they are linked to a privacy and reputation management setup, and I know they're about ready.

Do you have a URL or contact details? I'm in Germany, but this is the exact area I'm working in as well, because my target audience are small and medium-sized companies who have neither the budget nor the expertise to run all the fancy security theater gadgets that make your shareholders happy and add little to actual security.

However, what you *can* do is add a copyright notice

Good point. In fact, you don't even have to do that, thanks to the Berne Convention. Yes, disclosing emails you intercepted is very likely an act of publishing and thus a copyright violation.

Re:use encryption (0)

Anonymous Coward | more than 2 years ago | (#40436933)

Here's a free bit of security advise: The proper answer to making sure your communication can not be read by someone who may intercept it through whatever means, including typos in the address, is to use encryption. Period.

Encrypting the email with the public key of the mistyped address wouldn't help anyone, would it?

Re:use encryption (1)

danaris (525051) | more than 2 years ago | (#40437071)

Here's a free bit of security advise: The proper answer to making sure your communication can not be read by someone who may intercept it through whatever means, including typos in the address, is to use encryption. Period.

Encrypting the email with the public key of the mistyped address wouldn't help anyone, would it?

And why in the name of Great Cthulhu would you have the public key of some random person who just happens to have an email address a character or two away from one of your regular business partners'?

Dan Aris

Re:use encryption (0)

Anonymous Coward | more than 2 years ago | (#40440659)

And why in the name of Great Cthulhu would you have the public key of some random person who just happens to have an email address a character or two away from one of your regular business partners'?

Why would you assume it's my regular business partner?
If I had written to the company before, my mail client would know the address already and I won't mistype it.

So let's assume I haven't send anything to the company before. It's therefore likely I don't have the public key either, meaning I'll have to get it somewhere.
So I ask the local key-server for the public key of "mistyped address", the address I think is the right address.

Re:use encryption (1)

Tom (822) | more than 2 years ago | (#40438707)

You failure scenario requires several additional errors, misconfigurations or other weaknesses. Given enough fuck ups, no security system is safe. The fact that under hypothetical circumstances a security system could theoretically fail does not mean you shouldn't use it. Any and all real-world security and safety systems share this property.

Re:use encryption (0)

Anonymous Coward | more than 2 years ago | (#40440719)

You failure scenario requires several additional errors, misconfigurations or other weaknesses.

What additional errors? If I haven't contacted the company before, I only have to mistype the address once in the mail client and let the mail client look up the needed public keys for the given (wrong) recipient addresses.

Re:use encryption (1)

Tom (822) | more than 2 years ago | (#40449639)

Failure to verify the recipient key (that's what fingerprints are for), the misguided assumption that it's a good idea to silently fetch and use public keys (use TLS if you want transport security), for starters.

Derp5 (0)

Anonymous Coward | more than 2 years ago | (#40436159)

I get the entrapment but the wiretapping charges are practically baseless.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>