Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Feds Thwart Extortion Plot Against Best Buy

timothy posted more than 10 years ago | from the black-hat-size-extra-small dept.

Security 942

hiero writes "From an article in the Star Tribune: 'Federal authorities said Tuesday they thwarted an extortion plot against Best Buy Co. Inc. by a man who sent the company an e-mail threatening to expose what he claimed were weaknesses in the retailer's computer system unless he was paid $2.5 million.' What's really interesting to me, though, is this paragraph further on in the article: 'The federal search warrant was obtained the morning of Oct. 24 and allowed the FBI, with Best Buy's cooperation, to use an Internet device known as an Internet Protocol Address Verifier. It contained a program that automatically sent back a response to Best Buy after the company sent a message to the e-mail address. The response allowed investigators to identify Ray as the sender of the e-mail threats, according to the government.' Internet Protocol Address Verifier? Is this Carnivore in action?"

cancel ×

942 comments

Sorry! There are no comments related to the filter you selected.

fp (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#7901712)

fp @REW

Re:fp (-1, Troll)

Anonymous Coward | more than 10 years ago | (#7901784)

Best Buy. What is it all about... is it good, or is it whack?

Also, I am GHEY GHEY GHEY. Please offer me tasty starfish-treats in response to my posts for the rest of the day.

I am dead. (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#7901715)

First post from the grave {Slashdot is too addictive.}

U.S. government surveillance (0, Troll)

Futurepower(R) (558542) | more than 10 years ago | (#7901720)

The U.S. government does more world-wide surveillance than any government ever has.

Re:U.S. government surveillance (-1, Troll)

Anonymous Coward | more than 10 years ago | (#7901724)

Thanks for that insipid FP failure buddy.

Just a little "bug" in the mail, silly wabbit (5, Informative)

Kwelstr (114389) | more than 10 years ago | (#7901742)

Easy does it. You don't need a big surveillance program, just add a bug to your email that "grabs" the reader's IP addy and voila!

Easy does it, apply the KISS principle to life.

Re:Just a little "bug" in the mail, silly wabbit (-1, Troll)

Walterk (124748) | more than 10 years ago | (#7901832)

apply the KISS principle to life


Thank you, but I already have a girlfriend who gives me lots of KISSes and LOVING.

Re:U.S. government surveillance (0)

Gozor The Traveller (738761) | more than 10 years ago | (#7901757)

I thought it was the dutch government? Or was that just for phone call monitoring.

They might do more world-wide surveillance, but it doesn't mean they are any good at it. Let's see: non-immigrant non-visa-waiver travellers to the US are fingerprinted and have their photos taken at the airports.

This is obviously more effective than simply not giving immigrant or visa-waiver visas to terrorists; after all, terrorists always use their real names and never get access to legitimate travel documents.

Re:U.S. government surveillance (1)

Molina the Bofh (99621) | more than 10 years ago | (#7901808)

Somehow, this power accumulation and surveilance reminds me of Senator Palpatine. I just hope I'm wrong.

Re:U.S. government surveillance (-1, Flamebait)

Anonymous Coward | more than 10 years ago | (#7901826)

Trust is stupid. Surveillance is only a threat to the guilty, for it verifies innocence as well as guilt.

way to go, AC (-1, Redundant)

RMH101 (636144) | more than 10 years ago | (#7901893)

...you waste of space

Re:U.S. government surveillance (1)

hpavc (129350) | more than 10 years ago | (#7901902)

says the anonymous coward

Re:U.S. government surveillance (4, Insightful)

orthogonal (588627) | more than 10 years ago | (#7901848)

Somehow, this power accumulation and surveilance (sic) reminds me of Senator Palpatine. I just hope I'm wrong.

Huh. It reminded me of Stalin and Beria and the NKVD, but you're right, better we should take our lessons from space opera than from history.

George Lucas's fertile imagination is so much more convincing than those ponderous, dusty history books. And you can't eat popcorn and jujubes while reading books, it gets the pages too sticky.

Re:U.S. government surveillance (0)

Anonymous Coward | more than 10 years ago | (#7901890)

Said the guy who openly and freely badmouths said government without fear of retribution.

Re:U.S. government surveillance (1, Offtopic)

Da Fokka (94074) | more than 10 years ago | (#7901875)

I was quite shocked to hear that my Dutch government holds the record for per-capita phone tapping.

FIRST JEWISH POST! (-1, Flamebait)

Anonymous Coward | more than 10 years ago | (#7901722)

I am a filthy jew!

is carnivore bad? (1, Interesting)

Pompatus (642396) | more than 10 years ago | (#7901728)

Internet Protocol Address Verifier? Is this Carnivore in action?

This could effectively stop spam, at least in conjunction with additional laws. Would it be worth it?

Re:is carnivore bad? (3, Insightful)

PoitNarf (160194) | more than 10 years ago | (#7901744)

I think that it would only work if you were able to obtain an email address that a spammer actually checked, and we all know how hard those are to come by.

Re:is carnivore bad? (5, Informative)

Anonymous Coward | more than 10 years ago | (#7901952)

Is this Carnivore in action?

No, it isn't. Like another poster said, this is really just a web bug. Carnivore is a sophisticated system for parsing billions of e-mails and flagging interesting things like threats against the President for analysts to examine, but has nothing to do with validating return addresses or anything like that.

The only way to actually know that someone is actually receiving your e-mail at a particular location is to include a web bug that reports their IP address back to you, by opening a socket connection directly to something on a server you own (e.g. an image). So either include an image in the e-mail which is requested from your server, or include a trojan that "phones home" when they run it.

It works. Try it the next time you want to see who's really spamming you. Just send a web bug to whatever the response address is they want you to contact, (you know, for your Nigerian money-laundering instructions), and then examine your server logs carefully to find out where they really are in the world. Of course, you could also send them a backdoor if you wanted, instead of just a beacon, but I would never countenance such uncivilized behavior :)

I think... (5, Funny)

Anonymous Coward | more than 10 years ago | (#7901730)

I think it's called a return receipt :-D Probably was using Outlook which automagicly sends one when requested.

Blogzine [blogzine.net]

Re:I think... (1, Interesting)

boogy nightmare (207669) | more than 10 years ago | (#7901733)

Sorry but no is doesn't, I use outlook at work and i have to allow mine to return a reciept, if i cancel the request nothing is returned to the sender

Re:I think... (5, Insightful)

1u3hr (530656) | more than 10 years ago | (#7901753)

Sorry but no is doesn't, I use outlook at work and i have to allow mine to return a reciept, if i cancel the request nothing is returned to the sender

But if you reeive an HTML message that includes an IMG link to the senders' site, when Outlook displays the image (even if it's an invisble 1 pixel one) they have your IP. There are ways to block this, but it's on by default. Spammers use this to verify your address.

Re:I think... (1, Informative)

TehHustler (709893) | more than 10 years ago | (#7901788)

Which is why I always use display as text only mode.

Re:I think... (3, Interesting)

AKnightCowboy (608632) | more than 10 years ago | (#7901849)

I'm not sure why the parent is moderated as funny, but it's completely true. That's probably what their IP address verifier used. It's low-tech, but will catch many morons.

Re:I think... (0)

Anonymous Coward | more than 10 years ago | (#7901906)

I have seen whole marketing strategies centred on this - they will give you a call when u open the email.

Can't believe it is on by default in most corporates but it is.

Re:I think... (2, Informative)

D4MO (78537) | more than 10 years ago | (#7901908)

Not in the latest outlook.

Re:I think... (3, Insightful)

Kirill Lokshin (727524) | more than 10 years ago | (#7901754)

There's an option to automatically send them back, though. I think this may have been turned on by default in some older versions of Outlook Express, so it's quite possible for someone unaware of that to send out receipts without knowing.

Re:I think... (1)

salesgeek (263995) | more than 10 years ago | (#7901914)

Unless you are using an exchange server...

Re:I think... (5, Funny)

isorox (205688) | more than 10 years ago | (#7901885)

I do wonder about the sanity of our boss, who sends an all-employee email out (5 in the last two months) with a read receipt request. IIRC there's somewhere in the region of 20,000 employees.

No Wonder (5, Funny)

PoitNarf (160194) | more than 10 years ago | (#7901731)

That's what happens when you try to extort a big company using Outlook.

Re:No Wonder (0)

Anonymous Coward | more than 10 years ago | (#7901926)

That's what happens when you try to extort a big company using Outlook.

"Hey, it worked for Microsoft !"

Re: No Wonder (0, Troll)

Black Parrot (19622) | more than 10 years ago | (#7901932)


> That's what happens when you try to extort a big company using Outlook.

Maybe he'll offer Microsoft a "business relationship" for fixing Outlook, when he gets out of the pokey.

IP Address Verifier == web bug (5, Interesting)

morzel (62033) | more than 10 years ago | (#7901732)

"Internet Protocol Address Verifier? Is this Carnivore in action?"
Methinks that would be marketing speak for an HTML mail with a web bug (1x1 transparent pixel image loaded from remote server). If the 'villain' is using a mail program that displays HTML, his IP address is logged.

Re:IP Address Verifier == web bug (0)

Anonymous Coward | more than 10 years ago | (#7901760)

if this is the case then this simply re-enforces my belief that criminals are some of the stupidest on the planet.

I can think of at least 20 ways to defeat any way of the federal government and/or a company to verify that I am a recipient of an email sent to a anonomous address, and I'm by no means an expert or even good at this.

no matter what the fed's tried, there is no way a data packet can report it's location if I use the correct tools.. (I.E. a non crap email client)

Re:IP Address Verifier == web bug (5, Insightful)

DrSkwid (118965) | more than 10 years ago | (#7901889)

>if this is the case then this simply re-enforces my belief that criminals are some of the stupidest on the planet.

clever criminals don't get caught so you don't hear about them

FBI Files and COPS tend not to show you cases where the perpetrator outwitted the victims *and* the police *and* the FBI.

Re:IP Address Verifier == web bug (1)

Monoliath (738369) | more than 10 years ago | (#7901920)

>clever criminals don't get caught so you don't hear about them >FBI Files and COPS tend not to show you cases where the perpetrator outwitted the victims *and* the police *and* the FBI. I agree, the guy was sloppy, and he deserved to get caught, I mean not that what he was doing was right (although I do detest best buy... This is how the wise is separated from the foolish. How the F.B.I did this isn't even really that spectacular, they just efficiently used this mans ignorance of the methods he was using. A simple firewall, or some proxy software would have saved his butt in this scenario...

Re:IP Address Verifier == web bug (5, Interesting)

orthogonal (588627) | more than 10 years ago | (#7901829)

Methinks that would be marketing speak for an HTML mail with a web bug

That's my guess too. If so, had the extortionist had his mail client set up like mine, he wouldn't have had his IP "verified".

My client, actually, is the (rightfully) much maligned Microsoft Outlook, but I don't have a problem with web bugs, because my firewall only allows Outlook to connect to one address -- my domain's mail server -- and only to two ports at that address, ports 110 and 25.

This means no web bugs or any referenced (as opposed to inlined) images are ever displayed. In the few cases where I actually want to see referenced images, this is a minor inconvenience, but it's more than offset by knowing that no spammer -- or corporation -- ever gets verification of my email address.

For most mail, of course, it's not an issue. Important email rarely if ever contains referenced images; indeed I discourage anyone from sending me HTML-encoded email at all.

And if I want to view a url included in an email, I just click on it, and Firebird (which is allowed to connect to any address, so long as it's to port 80) displays the url. If I really want to see an email in its full glory (and I never do), I can always save it and then open it in Firebird.

Re:IP Address Verifier == web bug (2, Informative)

spongman (182339) | more than 10 years ago | (#7901895)

had the extortionist had his mail client set up like mine, he wouldn't have had his IP "verified".
or if he'd been using oulook 2003 which by default doesn't download images or objects contained within an HTML message.

that reminds me, when was the last time outlook actually allowed you to click an executable attachment and have it run? it had to be 2000, pre sp1, no?

I'm pretty sure you've got it (0)

Anonymous Coward | more than 10 years ago | (#7901937)

When I read the slashblurb my first thought was of the old AIM trick from back in the days when WinNuke still worked... the AIM hides people's IP addresses perfectly, but if you could trick someone into going to a URL you had access to the logs of, you could get their IP anyway...

P.S. your sig rocks

Hmmmm... (4, Insightful)

graveyardduckx (735761) | more than 10 years ago | (#7901734)

and this is where he's going to say his computer was hi-jacked, right? Even Carnibore has its limitations.

Re: Hmmmm... (1)

Black Parrot (19622) | more than 10 years ago | (#7901919)


> and this is where he's going to say his computer was hi-jacked, right?

You don't make extortion calls from your own phone, and you don't send extortion e-mail from your own computer.

However, a friend in a position to know tells me that the typical criminal is incredibly stupid.

Re:Hmmmm... (1)

TheMidget (512188) | more than 10 years ago | (#7901939)

Given how "easy" it was to reel him in with a simple web-bug, I'd say that this is the more likely proposition: a "friend" of his wanted to "thank" him for some favor or other, and in order to do so, he sent rather unsubtle threats to best buy, with the victim's return e-mail address. As it is trivial to forge e-mails using open proxies in China or elsewhere, there is no easy way to trace these mails to there real source.

Oh well (0)

Zutroi_Zatatakowsky (513851) | more than 10 years ago | (#7901736)

I hope the guy will still send the info to 2600 [2600.com] .

And "Internet Protocol Address Verifier"? Woah! Sounds like a tool in the Uplink game. Never heard of it though. A quick search on Google didn't return anything relevant.

Or even more silly (-1, Redundant)

Anonymous Coward | more than 10 years ago | (#7901741)

"that automatically sent back a response to Best Buy after the company sent a message to the e-mail address."

Just a return receipt request :-)

Internet Protocol Address Verifier ... (4, Funny)

Anonymous Coward | more than 10 years ago | (#7901743)

sounds so much better than "ping"

Well, ironic isn't it? (5, Interesting)

metlin (258108) | more than 10 years ago | (#7901745)

One one hand, if a genuine white hat hacker finds an exploit in a network and told the owners about it, s/he finds himself ostracized for the actions, and is threatened with legalities.

And on the other hand, what this guy tried to do was establish a "business relationship" -- notice that he did try to contact them first with the offer to help them:

The e-mail also offered to establish an unspecified business relationship between the sender and Best Buy, adding: "Without your response, we are obligated to share the security hole with the public for their protection. As a result, Best Buy may experience a loss in business, thefts and lawsuits."

Ofcourse, once he noticed he wasn't getting anywhere, he decided to resort to good ole' blackmail.

Honestly, this was bound to happen some day or the other. When legitimate security people point out bugs and holes, they get treated like scum and are threatened with law suits. So whats the best thing to to? Threaten the companies with money. Even if 0.1% of the companies gave in, it still is a way of making money.

Good, atleast this way companies will be more careful about protecting data.

Re:Well, ironic isn't it? (4, Interesting)

tuxette (731067) | more than 10 years ago | (#7901773)

Honestly, this was bound to happen some day or the other.

I think it's happening more often than what we read about in the mainstream press. Most businesses want to keep things hush-hush as to not generate bad publicity.

Good, atleast this way companies will be more careful about protecting data.

I doubt it, although I tend to be a pessimist when it comes to these matters. As long as they can hide behind lawsuits, it will be business as usual.

My final note of pessimism: things are going to get much worse before they get better. Brace yourselves!

Re:Well, ironic isn't it? (5, Insightful)

UnknowingFool (672806) | more than 10 years ago | (#7901823)

When legitimate security people point out bugs and holes, they get treated like scum and are threatened with law suits. So whats the best thing to to? Threaten the companies with money. Even if 0.1% of the companies gave in, it still is a way of making money

Although the article is not very detailed in this aspect, his actions do not speak of someone trying to help BestBuy. Some of the info is not released due to security concerns and pending litigation but this seems more like a black mail scheme more than anything else. If he was serious about helping BestBuy, asking for money ($2.5 million) sent the wrong message because the mafia also used terms like "business relationship" and "offer they can't refuse" when shaking down people as well. Until we know more, all we know is that he said enough in his emails that BestBuy and government thought he was threatening.

Re:Well, ironic isn't it? (1, Insightful)

Anonymous Coward | more than 10 years ago | (#7901828)

You aren't being paid to find their bugs and holes. What right do you have to demand money for it? Its one thing to be a nice guy and point something out, its another to be a criminal and you don't seem to understand the difference.

Hint: Extortion/blackmail is criminal activity which should be and is punishable under the law.

Re:Well, ironic isn't it? (2, Interesting)

metlin (258108) | more than 10 years ago | (#7901856)

Hint: When my credit card information is at stake, its a matter of public responsibility on _your_ part to protect it.

As long as I can find ways of fishing that out, you're at fault.

If you have a security flaw that helps 13 year old kids break in and take the credit card information of a few thousand people out there, I think I can say with reasonable assurance that YOU are at fault.

If someone leverages that to their advantage, don't blame them - fix your holes first. Thats the way security works.

Like tuxette said, you hear about all these cases where a hacker either makes it public or like in this case someone tries something stupid. But for each known case, there are so many cases out there where frauds are just not brought out to the open simply because companies are afraid of what it would do to their public image.

Maybe his actions were wrong, who cares? As long as companies get shit scared in their pants about whats going to happen if they don't secure their servers, its good. Its a classic predator prey relationship, and its inevitable.

Re:Well, ironic isn't it? (0)

Anonymous Coward | more than 10 years ago | (#7901904)

Coincidentally, today I stumbled upon (and not for the first time) a spreadsheet from a large Australian Internet company, who operate internationally, which contained extreamly detailed logs of pending business, including credit card details with export, name and CCV security numbers.

Now, this company is one who have reason to publicly state on their web site how seriously they take security (they also sell internet security products) and the measures they take to protect your CREDIT CARD DETAILS!!!!

Of course, I happen to know they keep it all in an unencrypted Excel file and expose it carelessly.

I don't feel like MYOB as that kind of 'lip service only' to security threatens us all.

I have no interest in blackmail, or any financial or other gain but I am worried that if I just tell them then they are sufficiently off the hook just to hide that particular problem.

What is the best way to let a company know they have a problem but also have some way of knowing they actually act on it?

Re:Well, ironic isn't it? (1)

metlin (258108) | more than 10 years ago | (#7901951)

Make a polite call to one of their high ranking folks telling them about the problem? :)

Or, maybe post it on Slashdot ;-)

Re:Well, ironic isn't it? (4, Insightful)

mumblestheclown (569987) | more than 10 years ago | (#7901845)

When legitimate security people point out bugs and holes, they get treated like scum and are threatened with law suits. So whats the best thing to to?

Do nothing and MYOB. If companies lose substantial amounts of money because of lax security, then they will do one of two things:

  • improve their security / invest more in security
  • go out of business and/or be less competitive.
in either case, the consumer wins (as in case 2, more competitive companies will spring up to take their place).

If, as it turns out, that external security consultants are the way to go, then such companies will engage in a business relationship with one of dozens if not hundreds of world class security firms.

What we don't need is whiny "independent security researchers" doing what amounts to unprofessonal blackmail attempts ("let's establish a 'business relationship' or I spill the beans.) Computer tresspass is computer tresspass. We don't need to revise trespass laws to improve security - we need companies to go to legitimate security firms and use their tiger team services and so on.

"Internet Protocol Address Verifier"? (0, Redundant)

blowdart (31458) | more than 10 years ago | (#7901746)

Fancy name for a web bug perhaps? Maybe not, otherwise we'd say Microsoft crowing how lack of security in Outlook Express is useful...

Internet Protocol Address Verifier? Pfft... (4, Interesting)

eaglebtc (303754) | more than 10 years ago | (#7901749)

Hmm, sounds like a fancy name for a computer expert. All you have to do is read the SMTP headers in most email and it will reveal the sender's IP. Just trace it back down the line of servers through which the email was routed, and you get back to the original IP address.

If the sender is spoofing headers, however, this becomes more difficult. Why not just subpoena the ISP for their email data? Doesn't the server keep a log of what IP addresses sent which pieces of email?

For example:

Received: from [65.119.30.157] (helo=SMTP.magnellmail.net)
by snoopy-bak.runbox.com with smtp (Exim 4.24)
id 1Ae9TJ-0006F6-B0
for xxxxxxxx@runbox.com; Wed, 07 Jan 2004 09:55:25 +0100
Received: from mail pickup service by E1SSL2 with Microsoft SMTPSVC;
Wed, 7 Jan 2004 00:56:48 -0800

The above shows that someone at 65.119.30.157 sent this email. It went through their mail server (magnellmail.net) to runbox, my provider. From there, Runbox directed it to my Inbox when I opened Outlook.

There is also a very unique message ID at the end of the headers section:

Message-ID: [E1SSL23ZpEVmkWFBXZG000011b9@E1SSL2]

Could this be used by the Email provider to find out who sent emails, if the IP address is missing or spoofed?

Re:Internet Protocol Address Verifier? Pfft... (4, Insightful)

ComaVN (325750) | more than 10 years ago | (#7901767)

They tracked mail sent to the address, not received from it.

Re:Internet Protocol Address Verifier? Pfft... (1)

eaglebtc (303754) | more than 10 years ago | (#7901769)

id 1Ae9TJ-0006F6-B0

^^^ what about that part?

Re:Internet Protocol Address Verifier? Pfft... (1)

tintub (733763) | more than 10 years ago | (#7901771)

There is also a very unique message ID at the end of the headers section:

Very unique as opposed to ???

Re:Internet Protocol Address Verifier? Pfft... (4, Informative)

Lumpy (12016) | more than 10 years ago | (#7901774)

no, you are dead wrong.

I can send you an email right now that will only get you to that mail server's address. there is no way in hell you can get my IP addrees out of it. and then if you try and suponea that company there is no real information in there about me except one IP address that lead's to a http anynomizer... so now you have to suponea that and hope I didnt do a second hop and was stupid enough to use the first two inside a country that will gladly bend over for your government.

your tactic was useful 10 years ago... today it's mostly useless.

Re:Internet Protocol Address Verifier? Pfft... (0)

Anonymous Coward | more than 10 years ago | (#7901894)

I can send you an email right now that will only get you to that mail server's address. there is no way in hell you can get my IP addrees out of it.

do you just mean a proxies? and can you route email via http?

Re:Internet Protocol Address Verifier? Pfft... (1)

Lumpy (12016) | more than 10 years ago | (#7901953)

yes, yes I can. I use a webmail account that i access thourgh 2 different web anonomyzers.

the webmail account is set to display all email as only text. (yahoo can even do something like this, disable images in email)

voila... you are thwarted. and that is the really easy way without any computer or net skills needed. I can go a more difficult route but it's not as effective as the above.

Verifier (3, Informative)

N8F8 (4562) | more than 10 years ago | (#7901751)

I did domething similar once. I put a tiny transparent image URL in a letter to try to get the IP address of someone. Then I monitored the server logs where the image was hosted.

Re:Verifier (1)

Malc (1751) | more than 10 years ago | (#7901866)

Of course, it's not going to work in Outlook 2003. Like many of the open source mail clients, it does't immediately download images.

Re:Verifier (2, Funny)

random_rabbit (647072) | more than 10 years ago | (#7901887)

You can send HTML letters? COOL! Are you beta-testing electronic paper or something? I'd love to get my hands on some of that.

Internet Protocol Address Verifier (1, Redundant)

stikk (134509) | more than 10 years ago | (#7901755)

Sounds more like a html based email, accessing some type of a remote object..
Seems the govn't has a new name for an old technique spammers used years ago to verify read mail.

I respect our govern't, but how many agents does it take to market old techniques :)

Where is the line to be drawn? (5, Insightful)

etymxris (121288) | more than 10 years ago | (#7901759)

Is it when he offered a "business relation" in exchange for fixing the problem? Or was it when he threatened to disclose the flaw? Or was it merely because he wanted money in return?

Had he just disclosed the flaw, would he more or less a criminal, ethically and legally speaking? It seems that worse would have come if he had simply published the flaw right away.

Was he justified in asking for compensation for his findings? If not, this seems to obligate us to "work for free" when discovering such a security problem.

What do others here think?

Re:Where is the line to be drawn? (1)

91degrees (207121) | more than 10 years ago | (#7901814)

There's no hard and fast rule. It's a matter of whether his intentions are honest or not. This is based on a subjective opinion, but I think what he wrote sounds like a thinly veiled threat (give me money or I reveal your secret to all the hackers of the world), and I believe that a lot of people would also see it that way.

Had he just disclosed the flaw, it would have been somewhat irresponsible considering only Best Buy have any need to know.

Had he disclosed the flaw to Best buy, and offered to fix it, then they would not have been obliged to hire him, but that's a risk he has to take. There is no law that says people are entitled to a profit from work they choose to do. If this business model isn't succesful, then he'll have to choose another one that is. However, identifying security holes could be good advertising. He is clearly capable of identifying them, and so is also probably capable of fixing them.

There are other things he could have tried. Revealed there was a flaw, but not specified what it was without threatening to release the information, or send them a patch, and let them buy the copyright.

suit talk (4, Insightful)

broothal (186066) | more than 10 years ago | (#7901762)

This is just a case of bad journalism. Of course, there are many methods of getting the IP of the receiver of an email The most common is a webbug (a link to an image on a server you control), but that requires for the culprit to use a mail client that renders HTML.

"Internet Protocol Address Verifyer" sounds like something you'd find in a Movie OS. Of course, like all other buzz words, the name is not related to the alledged function.

They either used a webbug, og checked the IP in the header of the mail he sent with his claim.

MUA bug?!! (1)

paultt (694302) | more than 10 years ago | (#7901763)

...probably using an outlook bug...

Anti-Spam tool? (3, Interesting)

toker95 (645026) | more than 10 years ago | (#7901764)

Personally, Why isn't technology like this being adapted to fight SPAM. Maybe the FBI is trying to keep tools like this under wraps so they can continue to use it against people, rather than knowledge of its existance being a deterrent... double-edged-sword i guess. I'm honestly curious how serious the extortionists were... The scheme sounds very half-hatched to me...

Carnivore? More like overreaction (5, Insightful)

bwalling (195998) | more than 10 years ago | (#7901770)

They got a warrant BEFORE they used the program. Whatever the program did - read information from his PC or just return IP address - it was a valid, legal search. We should be considering this a victory for our rights. The only way I can see anyone complaining about this is if the warrant was improperly obtained, but it seems entirely reasonable to "search" the email address that has been attempting blackmail.

Re:Carnivore? More like overreaction (4, Insightful)

revmf (653007) | more than 10 years ago | (#7901934)

Yeah but since PATRIOT, everything is a valid search...

img tag (1)

powlow (197142) | more than 10 years ago | (#7901772)

easier way than checking the server logs for the image loading is to write a simple php script that makes a transparent gif/png. Then use the php script as the src of the img tag and 'do stuff' with that. ;) not sure if you would be able to extract the same amount of info as server logs this way...hmmmm

Re:img tag (0)

Anonymous Coward | more than 10 years ago | (#7901841)

If you own the server, checking the server logs is easier than writing a "simple php script". I have a web page on a hosting site, but it embeds an image from my home server so that I can tell who is looking at the web page without going to the hosting site's logs. Just "grep rfc.png /var/log/http/access.log".

Re:img tag (1)

powlow (197142) | more than 10 years ago | (#7901865)

"ok"

yeah like i said...

I doubt they have anything as fancy as a IPAV (4, Insightful)

Bruce J L (693697) | more than 10 years ago | (#7901781)

They probably just read the mail headers as soon as he replied to the letter they sent him. From this and the time the email was sent they probably had no trouble asking his isp for the user information. Criminals are not always the smartest apples and he probably didnt even have a way to crack the website.

If he wasnt clueless he would have used a dummy email account and checked it via rental computer or at the very least a dial up account using *69 ( which can still leave your number ) and a prepaid credit card / gift card.

This guy reminds me of the old irc script kiddies who would do things from their house and wonder how they were tracked down. While anonomyzers are available it makes me wonder if he,

a. used one
b. had used a computer before

As to the FBI ip verifier i find it hard to believe they have anything more advanced then the current jscript / asp / log parsers to pull ip information.

AFIK the absolute most a email address can yeild is the ip of the server. However with the email headers im sure you can get a ip without too much trouble with a warrant.

Re:I doubt they have anything as fancy as a IPAV (0)

Anonymous Coward | more than 10 years ago | (#7901812)

Surely, if this guy did find a security flaw in bestbuy, he would be aware of possibilities for granting himslef anonymity and would be guarded from simple attacks like the embedded image in an HTML email.

Re:I doubt they have anything as fancy as a IPAV (1)

Viol8 (599362) | more than 10 years ago | (#7901924)

Or more likely he just pretended there was a flaw. After all , a company won't know about a flaw that it doesn't know about obviously and by
the same logic they won't know about one that doesn't exist because it was invented by an extortionist. If he gave them no details as to where the flaw might be
they have to take him at least partly seriously until they've done a complete code review. It would be far to dangerous to call someones bluff over something like this.

It all makes sense now! (1, Funny)

graveyardduckx (735761) | more than 10 years ago | (#7901783)

Best Buy and the Feds are working together! So that's why I have to return 90% of the hardware I buy from Best Buy!

Note to extortionists... (4, Funny)

Black Parrot (19622) | more than 10 years ago | (#7901787)


Make sure you turn off Message Disposition Notification in your e-mail client.

Web bug (Handy for job application e-mails) (4, Insightful)

SomethingOrOther (521702) | more than 10 years ago | (#7901792)


Internet Protocol Address Verifier? Is this Carnivore in action?"

That'll be a tiny 1x1 pixel gif embeded in a HTML e-mail called from the feds server.(AKA web bug... You cant turn off HTML in M$ LookOut and this dude dosent sound very clued up)

Presto, the feds know who opend the mail how long they looked at it etc etc etc.

A top tip (tm) is to embed a web bug in a job aplication e-mail. Its interseting to watch your aplication being pushed around various departments and see who actually reads it.

Re:Web bug (Handy for job application e-mails) (5, Informative)

mosschops (413617) | more than 10 years ago | (#7901876)

You cant turn off HTML in M$ LookOut

Oh yes you can [sniptools.com] - something I rely on to avoid spammers using the same trick!

this dude dosent sound very clued up

My thought exactly ;-)

Re:Web bug (Handy for job application e-mails) (5, Funny)

Rosco P. Coltrane (209368) | more than 10 years ago | (#7901883)

A top tip (tm) is to embed a web bug in a job aplication e-mail. Its interseting to watch your aplication being pushed around various departments and see who actually reads it.

Yes, it's very interesting. For example, here's the log of all the machines who accessed my web bug when applied for a job at the DHS:

frontdesk.dhs.gov
hr.dhs.gov
check.dhs.gov
ch eck.ins.gov
check.irs.org
it.dhs.org
counterter rorism.dhs.org
legal.dhs.org
submitsubpoena.aol. com
bust.usmarshals.gov

brb 2 secs, someone's at the door...

Re:Web bug (Handy for job application e-mails) (1)

troon (724114) | more than 10 years ago | (#7901921)

Presto, the feds know who opend the mail how long they looked at it etc etc etc.

No, they know when it was accessed, the user's IP address and the identification supplied by the mail client. They don't know how long it was looked at - HTTP doesn't hold the connection open all the time the image is on the screen.

And the moral of the story is if you receive ... (1)

Viol8 (599362) | more than 10 years ago | (#7901946)

...iffy email then examining it with a simple mail client that won't parse any MIME or HTML
first is always a good idea. "mail" springs to mind on unix.
Yes you can switch off most features in advanced email clients but its always best to be 100% sure and since "mail" comes with ALL unix systems...

Just do not let (2, Funny)

katalyst (618126) | more than 10 years ago | (#7901793)

the Internet Protocol Address verifier get into the hands of the RIAA.. we would not want more 12 yr olds and college students being fined ridiculous amounts, would we? :D

What carnivore does. (5, Informative)

Chrysophrase (621331) | more than 10 years ago | (#7901796)

Over here [fbi.gov] there is a Congressional Statement of what Carnivor "officialy" does, or is "allowed" to do. One paragraph of this statement:

Carnivore is a very effective and discriminating special purpose electronic surveillance system. Carnivore is a filtering tool which the FBI has developed to carefully, precisely, and lawfully conduct electronic surveillance of electronic communications occurring over computer networks. In particular, it enables the FBI, in compliance with the Constitution and the Federal electronic surveillance laws, to properly conduct both full communications' content interceptions and pen register and trap and trace investigations to acquire addressing information.

gives us the gist of it. So yes this very well be Carnivore in action.

Re:What carnivore does. (1)

Bruce J L (693697) | more than 10 years ago | (#7901805)

If they used carnivore for this instead of the other methods mentioned I want my 5 billion dollars back

Idiot users and legal hacking (1)

Rosco P. Coltrane (209368) | more than 10 years ago | (#7901810)

It contained a program that automatically sent back a response to Best Buy after the company sent a message to the e-mail address.

So I think it's safe to assume that (1) Ray Sixpack was running Windows and (2) Feds have the right to create and use email viruses legally.

Webmail (1, Insightful)

WestieDog (592175) | more than 10 years ago | (#7901811)

I guess the lesson we can learn here is that if you are going to extort, use a webmail service like yahoo. (unless it really was carnivore in action, then who knows if it would help)

Google appears to be stumped too (5, Interesting)

chronus22 (645600) | more than 10 years ago | (#7901816)

This is the first time google [google.com] has heard about it as well, apparently.

Re:Google appears to be stumped too (0)

Anonymous Coward | more than 10 years ago | (#7901859)

Ok, that was actually kind of funny...Mod parent up

Concerns about Best Buy (5, Interesting)

Anonymous Coward | more than 10 years ago | (#7901818)

I'm much more concerned that their cash registers use WiFi without a lick of encryption... I read several stories a while back about people sitting out in the parking lot with sniffers, capturing credit card information...

So now what the white caps do is...publish! (2, Informative)

TyrranzzX (617713) | more than 10 years ago | (#7901857)

When you find a bug, no matter how serious with someone's system, publish it. Why do I speak such insanity? I reverse engineer hardware and some software for fun, if I find a bug I'll report it because I'm a nice person and I'd like it to get fixed. I understand that our society works only because the black caps have realized when they found a doomsday bug that implementing it would mean they turn society into hell and they'de be right in the middle of it. I'd like to make a difference and help to defend myself by helping others out, this is how I convince selfish self to help others.

So, since you don't want to treat me with respect like I treat you with respect, from now on I won't be nice or treat you with respect. I'll publish your flaws for all to see. It can be as big a publication as slashdot or bugtraq, or as small a publication as telling my friends and throwing it up on p2p.

I guess we'll have to teach them what happens when they treat us with no respect. This is a decision every white cap has to make for themselves.

I for one, am done playing the part of the nice martyr. The day I get arrested and incarcerated for releasing information I or someone I know researched because someone doesn't like loosing money is the day we no longer live in a free country, and the day I go black cap. Believe me, I don't want it to come to that, I like my steak and potatoes and living in a nice house, but if that's where it's going I am going to defend my hobby.

And they proved what ... ? (3, Interesting)

peio (646164) | more than 10 years ago | (#7901871)

Even there may be something that may trace from wich (IP) address an event happened (thou I completely agree with the 1x1 gif idea) . I don't see how it may prove something in court.

What if the email was send (the smtp server was invoked) from a compromised computer. There are lots of win98 online with hundreds exploits ready waiting for somebody who needs an IP to do something from. What if the person uses a cascade of proxyes and shells.
I will just mention all the possibilites the iproute2 package gives to move network segments and obscure what is going on.

We should do everything possible to prevent the court system to take computer generated information (logs) as a reliable evidence, because it may be just the start of the witch hunt...

Thier flaws have been published before (4, Informative)

wathead (730323) | more than 10 years ago | (#7901886)

Anyone that reads 666 otherwise known as the hacker quarterly knows about all the problems in Best Buys network.
It even goes in depth on how to get into thier private network from a display PC.
How to find info on hiring and firing people etc.
How to order stuff and have it sent.

If he had used spammer techniques.. (5, Informative)

Karl Prince (738370) | more than 10 years ago | (#7901896)

would they have caught him

and few other ways of hiding yourself, as below

1. Dedicated firewalled Linux Laptop with WLAN, and changing MAC
2. WarDrive around for a unsecure internet connection.
3. Use proxies from unsecured PC's, lists available from DBL providers, or you Email server logs.
4. Setup up a web mail account, and send business proposal.
5. WarDrive to other access poiunt for continuing dialog
6. Travel around a bit to avoid setting a Wardrive pattern

I would think this would be very difficult to trace without social engineering

Re:If he had used spammer techniques.. (2, Funny)

Anonymous Coward | more than 10 years ago | (#7901927)

hate to bite but 7. ??? 8. Profit!

Moral of the story: (1, Interesting)

scorp1us (235526) | more than 10 years ago | (#7901909)

For any black-mail (male?) scheme always be prepared to back it up with several remote sites with cron scripts to email the content to everyone (buy a spam CD) unless you take actions daily/weekly/etc. to prevent the mail from sending. This is so that if you get taken into custody, the whole thing is blown open, since you're fucked anyway!

Anonymous Remailers (2, Interesting)

InsomniaCity (599389) | more than 10 years ago | (#7901936)

The best way to do this would have been to use anonymous remailers and a nym address. Then you are protected from ISPs subpoenaing logs, as well as the email being encrypted and bounced around the net before it ends up in your inbox.

Those interested in finding out more about anonymous remailers should take a look at the APAS FAQ [faqs.org]

However, were he to have the final email arriving in his Outlook, and he decrypted it with the PGP plugin, then a web bug could well have taken effect.

More likely they used some unpublished vulnerability in Outlook, possibly even one that the FBI found themselves...?

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>