I found the owner of Celeb Jihad dot Com

Posted on August 23, 2017 by erik

Don’t keep naked photos on your phone.

It seems like a simple instruction to avoid all kinds of problems later, but as a person who smoked off and on and on and off and still will grab a cig if available now and then, I cannot really point fingers at all.

It would be one thing to smoke and then have a Gnome track you down and give you cancer. Then it would be best not to smoke but it would be better still to get rid of the Cancer Gnomes. Same with Porn Trolls

Like it or not, naked phone pictures are a part of the intimate and private lives of people these days and are at least as common aids in intimacy candles, Clown shoes and 24/7 loops of anteaters destroying termite mounds projected on the ceiling.

I am not a person who pays attention to celebrities. It bothers me that I pick up information on the vile Not_going_to_write_their_name_here family just by reading the news online or waiting to purchase mouthwash at Duane Reade. But that family seems to plan for the loss of privacy (I suspect their press kits include a speculum) and are probably much more worried about their depilatory budget slipping out in public than an unruly nipple or two.

Celeb Jihad is a bit different. It’s business model is to post fake nudes of celebrities interspersed with real nudes, often available from films they have done and then just enough stolen images that are real to make one wonder how many of the “fake nudes” may also be real.

Of course that is akin to having your house robbed, seeing someone wearing your Clown Shoe (don’t judge me) and claiming you had permission to use it from the owner, who stole it. Celebrity or not it is not right to have someone’s privacy put up to ridicule or other activities simply because they have been on TV or are famous.

One of my theories of Cyber Crime is that if you expose the person behind the crime, many more incidents will stop. This is because it tends to be the same people behind similar activities. Too many “Cyber Security” people will think that if you stop one, another takes it place, but without exposure to the elements and to the law they just start over again. I suspect the same is true with “PR Nightmares” so I figured I would do an experiment and try to track down the likely owner of Celeb Jihad.

—-edit—–

I succeeded in tracking down the actual owner. Nice guy it turns out. As with everything, things are not as they appear in the world of “Celebrity Hacking”. Plus people get weird. I mean really weird. Like “OMG I better call the FBI before someone gets hurt.” weird.

So, No crimes were actually committed. Think about that for a second. Because you can say things like “but wait…but what about..” Yep. No crime.

Certain people who pass my own background checks will be allowed to see my methods and results. Email me.

Scott P. Havens was wrong

Posted on July 19, 2016 by erik

Like any vain person I google myself. I am pretty boring and I am fine with that.

But one thing that shows up is this link How Not To Handle Security Problems.

This was from when I worked at Arvixe in support. There was a scanner that created false positives for the heartbleed vulnerability when our servers used a non vulnerable OpenSSL and were not susceptible to Heartbleed but Scott Havens, did not seem to get this so he wrote a post exposing our great technical support staff by name on his blog back in 2014.

Most of us left Arvixe when it was transferred over to EIG via A Small Orange Webhosting. From the time Scott Haven’s wrote about us we never once had our OpenSSl on any server cracked or hacked or any information stolen via the Heartbleed bug because we were never vulnerable. Anything that happened after October 1st 2015 I cannot comment on since I was not working there after that date but in case people google names and say to themselves “Wow, they did not patch for Heartbleed! I am not going to hire them!” I just want to say that Hrishakesh W. James G., Michael Carr, Ryan C., and Patrick Stein + all the other folks I worked with at Arvixe were great and we handled this request the best we could because Scott Havens did not understand that Heartbleed scanners did not work on our OpenSSL version. We were never vulnerable, so therefore there was nothing to handle so we handled the non-security issue perfectly.

Crime Could Have Paid (maybe).

Posted on April 25, 2016 by erik

At some point we read in the news about a murder for an amount of money that seems senseless, especially given the amount. I cannot recall the story exactly but there was one where a person in a homeless shelter was murdered over a debt of tube-socks.

In the homeless world where clothing and shoes are donated, socks are not, so discount socks become a valuable commodity. Quite sad this happened but as one goes up the socioeconomic ladder we see crimes that reflect the values of the class and perpetrators. An Oxy addicted bank robber might kill someone over $2000.00 to $4000.00, a typical amount taken when a threatening note is passed to a teller. An Armored car robber might not bother killing someone for that fee and certainly would not bother to kill someone over socks, but at over $100,000? I am sure its been done for that amount or less.

Some jobs pay well. A few years ago I was involved in a Penetration test where we had to “capture the flag” (present the contents of a file to a supervisor) for pay plus a bonus if a glaring weakness was discovered. I set about trying to get into the company from within, since I figured they would have shiny new firewalls and a 24/7 admin team and someone, someone always knows that a Pen Test is going to happen because most people are terrible at keeping secrets and no one wants to look bad.

I did a google search on the company. Nothing really interesting but that is always my first step. The next I did a whois search and found that they had 4 nameservers, 2 were third party, most likely secure, and 2 were of the same domain name and in a sequential IP address . So I did a “host -al domain.name ns1.domain.name” type lookup and all the subdomains popped up and they all had IP addresses not belonging to the webhost.

A quick scan of port 80 and port 443 revealed open ports on a number of internal servers. One that looked interesting to me was hr.domain.name. I pointed my web browser to the HR site and it had all types of useful information including the procedure for starting your first day on the job. The person to see, what to bring (photo ID for passport, Drivers License and job ID) . It also had instructions for supervisors. One was that the supervisor had to have the resume of the new hire on file within 2 months after the 1 month trial period for new hires had ended. That was a 3 month limit. I signed up on their “careers” site and applied for a job as a network admin and submitted a 17k jpg file saved as a txt file and then a .docx file…so it was gibberish. (I would submit again if needed) and I was emailed back a Thank You for Applying notice that gave the Job ID.

The next day I followed instructions on the HR server, talked to who I was supposed to talk to, filled out tax forms, signed an agreement that I was employed for 1 month only on a trial basis (the term “A Good Fit” was not used then, but I am sure it is now) I watched a video on diversity and harassment policy, I agreed not to ask anyone out on a date and then I reported to the Senior System Administrator. I was also told to bring my resume again as they were not able to read the one they had on file for some reason.

He was baffled as to why I was there. He said “who hired you?” and I said “I don’t think he is here now or he would have met me” and he said “Dave”. You must be hired for the second shift.

I left and had a coffee, then I had about three beers, then a coffee and then some Life Savers and went back for the start of second shift. I met “Dave” and said “Bob told me I was on second shift”

And I was in.

I got the file easily as I had access to everything from the start. The next morning I contacted my supervisor for the gig and told him the contents of the file. Then I told him how I got it.

He was quite angry, He said it was a penetration test of the firewall and passwords and other technical things. I got paid for the job but I did not get the bonus.

Then I wondered, what would have happened had I just quit my security gig after getting the Network Admin gig? I would have had a job that paid about $90,000 per year if I made it through the one month trial period. I would have known about the file and protected it and made my team look really good. But I would have gotten the job via fraud. If I was ever discovered people would have had a good reason to never hire me again for anything.

But it could have been a crime that paid. I likely would have never gone to jail for it even if I had been discovered. I probably would have never even been arrested.

People are deceptive at job interviews all the time. People exaggerate on their resumes quite often, this would have just been one step above that by never actually going to an interview.

For $90,000 there are people out there who would kill for that amount, but $90,000 + health and dental & a 401k and maybe some profit sharing and a chance for a promotion and Christmas bonus for 5 years or more?

That is tempting and perhaps I was foolish for doing the job I was hired to do instead of doing the job I was never hired to do for more money and more stability, but here I am now.

I have always had this in the back of my mind. I wondered who has done this? Who has done something similar? A well crafted career fraud can pay better than most crimes and be legal and have your proceeds “laundered” because you have been getting them as a legitimate paycheck and paying taxes on it.

Yesterday on LinkedIn I saw a “Trending” story about an ex-poker player named Haseeb Qureshi who landed a $250k job with Airbnb with about 1 year experience as an instructor at one of those “coding camps”. The interesting thing about the story is that Qureshi had previously been involved in a poker scam where fake accounts and references were used to produce a profit. More later as I investigate this.

And it might be the guy is completely legitimate but I saw a bit of my penetration testing technique in his story so I have to check it out.

What if Security and Insecurity are The Same Company?

Posted on May 9, 2015 by erik

“Hacking” as cracking and illegal compromise of accounts and systems online is now called, is a big industry. A hacked WordPress site (many of them are) can easily bring in $1 to $20 a day for the operator. This does not sound like much but if you control thousands of these hacked sites and live out of reach of countries prone to prosecute you it can be a really good income.

So that is why we have companies that protect things like websites, email and social media accounts. Local Law Enforcement still has to be given a finger puppet show to explain what the complaint is, what law was broken and why they should care (its been getting better over the years, but still quite slow) so we need security companies and security services to act where Law Enforcement cannot or refuses to act. They also serve as intermediaries between Law Enforcement, Web hosting companies and web sites and can make a frustrating situation easier…for a price.

The other day I had a wave of curiosity about this. I wondered if anyone who offered a security service for “hacking” would also offer a hacking service.

It would be a good plan. You could use your leads created by the hacker for hire site to solicit customers for your white hat website.

So I googled “hackers for hire” and eventually found an article written by Matthew Goldstein found here:

Need Some Espionage Done? Hackers Are For Hire Online

The article is about a website called Hackers List. This is a clearing house for services that are often illegal and the site owners get a cut once a job has been finished. (from the article)

“It is done anonymously, with the website’s operator collecting a fee on each completed assignment. The site offers to hold a customer’s payment in escrow until the task is completed.”

Some of the things quoted on Hackers List are this:

University Grade alteration (hacking into School computers was illegal last time I looked…I never looked…I have guessed this and I assume I am correct) facebook accounts and an odd thing called McKinnley for $200 to $300 (I was tempted to join as “Czolgosz” and bid on that one) so seems like the site owners are making money off of crime and benefiting from both volume of business and price.

The really interesting part came later in the article when an ethical hacking company or White Hat was quoted:

“Still, the market for hackers, many of whom comply with the law and act more like online investigators, shows no signs of slowing. Many companies are hiring so-called ethical hackers to look for weaknesses in their networks.

David Larwson, a director of operations with NeighborhoodHacker.com, which is incorporated in Colorado, said he had seen increased demand from companies looking to make sure their employees are not obtaining sensitive information through hacking. He said in an email that companies were increasingly focused on an “insider threat” leading to a breach or unauthorized release of information.

On its website, NeighborhoodHacker describes itself as a company of “certified ethical hackers” that works with customers to “secure your data, passwords and children’s safety.” “

I did some checking and found out that the two companies, neighborhoodhacker.com and hackerslist.com seem to have the connection making both a Grey Hat company (one being a conduit for legal security work and the other being a conduit for illegal work and profiting from both)

The WHOIS of NEIGHBORHOODHACKER.COM

Domain Name: NEIGHBORHOODHACKER.COM
Registry Domain ID:
Registrar WHOIS Server: whois.1api.net
Registrar URL: http://www.1api.net
Updated Date: 2014-03-30T21:48:40Z
Creation Date: 2012-05-04T22:20:32Z
Registrar Registration Expiration Date: 2016-05-04T22:20:32Z
Registrar: 1api GmbH
Registrar IANA ID: 1387
Registrar Abuse Contact Email: abuse@1api.net
Registrar Abuse Contact Phone: +49.68416984×200
Reseller: iwantmyname http://iwantmyname.com
Domain Status: ok
Registry Registrant ID:
Registrant Name: Neighborhood Hacker
Registrant Organization: Neighborhood Hacker LLC
Registrant Street: 590 w hwy 105 ste 274
Registrant City: Monument
Registrant State/Province: CO
Registrant Postal Code: 80132
Registrant Country: US
Registrant Phone: +1.8889660937
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: charles@charlestendell.com
Registry Admin ID:
Admin Name: Neighborhood Hacker
Admin Organization: Neighborhood Hacker LLC
Admin Street: 590 w hwy 105 ste 274
Admin City: Monument
Admin State/Province: CO
Admin Postal Code: 80132
Admin Country: US
Admin Phone: +1.8889660937
Admin Phone Ext:
Admin Fax:
Admin Fax Ext:
Admin Email: info@neighborhoodhacker.com
Registry Tech ID:
Tech Name: Neighborhood Hacker
Tech Organization: Neighborhood Hacker LLC
Tech Street: 590 w hwy 105 SOE 274
Tech City: Monument
Tech State/Province: CO
Tech Postal Code: 80132
Tech Country: US
Tech Phone: +1.8889660937
Tech Phone Ext:
Tech Fax:
Tech Fax Ext:
Tech Email: info@neighborhoodhacker.com
Name Server: ns01.domaincontrol.com
Name Server: ns02.domaincontrol.com
DNSSEC:
URL of the ICANN WHOIS Data Problem Reporting System:
http://wdprs.internic.net/

And the WHOIS of HACKERSLIST.COM before the 1/15/2015 article
Registry Domain ID: 1882636295_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.1api.net
Registrar URL: http://www.1api.net
Updated Date: 2014-10-28T19:43:27Z
Creation Date: 2014-10-28T19:43:25Z
Registrar Registration Expiration Date: 2015-10-28T19:43:25Z
Registrar: 1API GmbH
Registrar IANA ID: 1387
Registrar Abuse Contact Email: abuse@1api.net
Registrar Abuse Contact Phone: +49.68416984×200
Reseller: iwantmyname http://iwantmyname.com
Domain Status: clientTransferProhibited – http://www.icann.org/epp#clientTransferProhibited
Registry Registrant ID:
Registrant Name: Charles Tendell
Registrant Organization:
Registrant Street: 590 W Hwy 105 ste 274
Registrant City: Monument
Registrant State/Province: CO
Registrant Postal Code: 80132
Registrant Country: US
Registrant Phone: +1.7204320389
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: info@neighborhoodhacker.com
Registry Admin ID:
Admin Name: Charles Tendell
Admin Organization:
Admin Street: 590 W Hwy 105 ste 274
Admin City: Monument
Admin State/Province: CO
Admin Postal Code: 80132
Admin Country: US
Admin Phone: +1.7204320389
Admin Phone Ext:
Admin Fax:
Admin Fax Ext:
Admin Email: info@neighborhoodhacker.com
Registry Tech ID:
Tech Name: Charles Tendell
Tech Organization:
Tech Street: 590 W Hwy 105 ste 274
Tech City: Monument
Tech State/Province: CO
Tech Postal Code: 80132
Tech Country: US
Tech Phone: +1.7204320389
Tech Phone Ext:
Tech Fax:
Tech Fax Ext:
Tech Email: info@neighborhoodhacker.com
Name Server: ns1.iwantmyname.net 62.116.159.99 2001:4178:0003:a357:0062:0116:0159:0099
Name Server: ns3.iwantmyname.net 89.146.248.96 2a01:0130:2000:0118:0089:0146:0248:0096
Name Server: ns4.iwantmyname.net 74.208.254.95
Name Server: ns2.iwantmyname.net 217.160.113.131 83.169.55.71 2a01:0488:2000:0c02:0083:0169:0055:0071
DNSSEC: unsigned
URL of the ICANN WHOIS Data Problem Reporting System:
http://wdprs.internic.net/

And on January 16th 2015, one day after the article appeared.

Domain Name: HACKERSLIST.COM
Registry Domain ID: 1882636295_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.1api.net
Registrar URL: http://www.1api.net
Updated Date: 2014-10-30T10:21:01Z
Creation Date: 2014-10-28T19:43:25Z
Registrar Registration Expiration Date: 2015-10-28T19:43:25Z
Registrar: 1API GmbH
Registrar IANA ID: 1387
Registrar Abuse Contact Email: abuse@1api.net
Registrar Abuse Contact Phone: +49.68416984×200
Reseller: iwantmyname http://iwantmyname.com
Domain Status: clientTransferProhibited – http://www.icann.org/epp#clientTransferProhibited
Registry Registrant ID:
Registrant Name: David Harper
Registrant Organization:
Registrant Street: Po Box 11671
Registrant City: Wellington
Registrant State/Province: CO
Registrant Postal Code: 6142
Registrant Country: NZ
Registrant Phone: +64.11111111
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: 1534387e@opayq.com
Registry Admin ID:
Admin Name: David Harper
Admin Organization:
Admin Street: Po Box 11671
Admin City: Wellington
Admin State/Province: CO
Admin Postal Code: 6142
Admin Country: NZ
Admin Phone: +64.11111111
Admin Phone Ext:
Admin Fax:
Admin Fax Ext:
Admin Email: 1534387e@opayq.com
Registry Tech ID:
Tech Name: David Harper
Tech Organization:
Tech Street: Po Box 11671
Tech City: Wellington
Tech State/Province: CO
Tech Postal Code: 6142
Tech Country: NZ
Tech Phone: +64.11111111
Tech Phone Ext:
Tech Fax:
Tech Fax Ext:
Tech Email: 1534387e@opayq.com
Name Server: duke.ns.cloudflare.com
Name Server: gene.ns.cloudflare.com
DNSSEC: unsigned
URL of the ICANN WHOIS Data Problem Reporting System:
http://wdprs.internic.net/

We can see some similarities here that are hard to deny.

I contacted tech support for a quote from both companies and both support technicians were not able to comment either due to lack of knowledge or company policy (both were very polite).

I do not think it is unreasonable to question the practices of both companies. Or to one Charles Tendell who, according to his web site, is a Certified Ethical Hacker.

http://charlestendell.com/

http://charlestendell.com/about/certifications/

http://azoriancybersecurity.com/

Also for Fox News and Lockheed Martin. I do not know, perhaps it is a smear job against Mr. Tendell (always possible) but I would think most smear jobs would be better known and not found out because some guy with a day off had a brain fart and access to google and whois.

—update—

Not a smear job. New York Times article will be up on 5/13/2015

How to Thwart Chinese Hackers

Posted on March 6, 2013 by erik

I enjoy being wrong.

The most I have ever learned has always been from the realization that something I believed was really not true at all. It always causes evaluation and introspection which is needed so as to not become an “Archie Bunker” like character as years go by.

I had a moment like this a while back sometime after my Dear Abby parody post, and that was that the Chinese Government is Really attacking Government and business networks and websites. I know most of you are thinking “Just now? Its been all over the news for years” I know this, but the fact was I did not really believe it then because I saw Spammers based in China doing scripted attacks in order to get an unwilling machine to host a website selling pills or providing backlinks to “SEO” nonsense that complimented their message board and social media SPAM posts. So I had good reason to believe others were misidentifying the pattern that I had correctly identified.

Until I started seeing patterns myself.

The first patterns I saw were coming from 210.75.192.0 – 210.75.223.255 owned by the Beijing Information Highway Corp (love that name) but they followed the ones I see from all over the world; random times, pointless visits and attempts to register and attempts to post. Successful posts are done in poor English and it is clearly the model of spammers using compromised computers that likely have pirated software installed on them so they never have security patches. This is what made me believe that there was no Chinese Government conspiracy. Then from the same IP blocks I started seeing things differently. I still saw the spammers but I also saw attempted logins to ssh, ftp and telnet. I even saw port 25 get lots of VRFY attempts. The pages searched for on port 80 and port 443 involved wp-admin and another for chef/common.rb and chef/cookbook/cookbook.rb which seemed to be a directory traversal attempt or perhaps looking for an error message. What was odd about these attacks was that they started at about 8:30pm EST and ended about 4:30am EST. I blocked one particularly annoying IP that was doing the weird directory traversal thing looking for Chef Configuration Management software (I suspect one would really like to get a hold of configuration management software to configure your own compromised machines) and trying MySQL injection with attempts like '1'='1-- and admin'/* and as soon as I did that the same stuff appeared again from an IP in Bogota Colombia that turned out to have been an Adtran 904 that had a default setting of admin and password for its security credentials and a VPN to the IP in China I had just blocked and a few others on the same Beijing IP block as well.

So I did what any sane person would do and didn’t touch anything and instead blocked the Colombian IP (I was very tempted to remove all VPN configurations and change the password but I did not). After that I just got the same old spammy probes from China and visitors to index.html that just hung around until their sessions timed out.

What I checked out later is that Beijing switched government hours from 8:30 to 5:30 to 9am to 6pm. This, to me, meant that people showed up for work 13 hours ahead of EST in Beijing, checked e-mail and assignments for maybe 30 minutes and then started working on their 9 hour day and then around 30 minutes before leaving they stopped working and perhaps wrote summaries of their day and went home. What is odd is that I did not see what appeared to be a “lunch” hour. This tells me they are either being worked very hard or (more probably) love their jobs attempting to break into stuff.

I wish I had more IP addresses to fool around with. I could then make a virtual machine as a honeypot but really customize it. Maybe with some poorly written php that would make MySQL vulnerable and a separate virtual machine for logging. But I do not have those kind of resources.

I would really like to write a script to focus on timestamps between commands and see what commands are made when they do get in. I could then judge whether they are using a script like Metasploit or perhaps even have to get approval from a supervisor before privilege escalation and even be able to judge their language proficiency based on spelling and grammar mistakes. In a way I am not sure why we are afraid of them when we can use them to actually understand them since they do not really hide (or not the one’s I saw anyway).

Now..How to Thwart them. I do not know why they use directory traversal maybe just testing to see if a web application forgot to check for ../../ and unicode type strings or maybe there is another vulnerability out there? But I think I would avoid writing my own web applications to go live right away for a while especially when so many more secure CMS exist today.

I also would make it so Configuration Management Software such as Puppet or Chef is never available to remote administration (that could be one of those disasters no one knows about until it is too late).

The other steps are normal security best practices like good passwords, never putting in a DVD or pen drive that you find just laying around somewhere.

I believe the main key to thwarting hackers from China (I really should not say “Chinese hackers but you all know that I mean “Sponsored and employed by the government of China” when I say that) is studying their bureaucracy from what clues they give us by their online presence. Right now I know from my experience with them is that they show up for work, put in about 8 hours and then stop working. I also am pretty sure they are based in Beijing and they attacked routers in countries other than the nation where their target exists. (perhaps we have compromised Adtran Routers here in the US that are used to attack Iran, Venezuela or Russia).

More exploration is needed and I am quite sure this is what they are saying about us as well.

Part I: “Low tech hackers” are nearly impossible to stop

Posted on December 11, 2012 by erik

When an organization or an individual has a security or privacy breech from the internet we often assume it was done either by a young male with intimate knowledge of computers and the networks they are on or by a “script kiddie” who got the equivalent of a skeleton key that someone else has made so they can let themselves into your life in some way. When these people do attack it is often just once and then they are off. They are best stopped by “locking the doors” because how they get in to where they are not supposed to be is by wandering around and trying doors to see if they have been left open or using old key cards that should have been changed ages ago.

We know about these people. Books have been written on stopping them. Businesses have been formed based solely on stopping them. Software has been written to seek and destroy their tools but yet there are more of them than ever before. One thing people keep as a secret in the security world is this:

Breaking into computers is fun.

Most of us can thank VMWare and Xen for both keeping our skills up and keeping that money making “white hat” on our heads as we ride off into the sunset having saved the day and taken home a check but we had fun doing it and the person whose work we were mitigating had fun giving us work. It is like that Warner Brother’s cartoon with Sam and Ralph, with both sheepdog and wolf working for the same company but one to protect the sheep and one to try to eat them.

Not all hackers have skill. Not all hackers even know that they can go online to get tools that they need to break in to places. Not all hackers have fun doing what they do. They do it for reasons that make computer security people, firewalls and anti-virus software useless. They do it because they have a compulsion to do it. They do it because they feel they have to. They do it because they are often mentally ill. They are also impossible to stop using conventional methods.

The “low tech” security risk can be especially difficult because often these people have all the time in the world. When you have an obsession and unlimited free time you can get creative in ways a more technological savvy person will not bother with.

One group I did work for had a problem. They had a fellow who used their website to send messages to a women he had “fallen in love with” but who had rejected his advances. He decided that she visited this website (she didn’t..it escalated to the point of me talking with her by phone) and that he would send out communications to try to get her attention.

What he did instead was disrupt the website that he used as a “stalker pulpit”. He was denouncing the woman and all other forms of injustice against him and slowly turning the focus of the site away from it’s intended purpose to be about him and his failed love life.

Then he started to solicit users of the website to contact the woman through her place of business and that was when I was contacted to stop him.

What logs did I have to look at? None. What did he break into? Nothing at all? But imagine you run a burger place and someone comes in and decides to set use your booth as a space to promote their religion. If you do not move to stop it, you risk having your customers going elsewhere to get away from being preached to. In a burger place that is easy, you kick them out, and maybe contact the police if needed. On a website with open registration that is more difficult.

The first thing I did was try to block the IP addresses this person posted from. He then moved from his home to cyber cafes. I even found a cyber cafe with security cameras in their IP block that were open to the internet. I remember this well because this cafe had a giant tree growing in the middle of it. So when he would log on from that IP I would type in the IP of the camera with my browser and see him sitting at a computer logging into the website he was banned from.

I then decided I needed more information so I contacted the woman who was the object of his obsession. She had never met him but she did have a restraining order and he had his own case officer with the RMCP. She then told me a creepy story about how one night she had heard rustling in the bushes near her house and she thought nothing of it but when she went outside the next day on her porch was a picture of her stalker dressed in an all white suit (like Mr. Roark from Fantasy Island). I should have kept my mouth shut but I told her that he kept on posting pictures of himself dressed in all white with cryptic messages which must have meant he still thought she read the website. I should have known this would frighten her. I had forgotten that to her this was person trying to invade her life but I was seeing everything as just facts and coincidence and forgot myself and I still feel bad about doing that.

She contacted the RCMP case worker (I don’t know what the official title is since I am not Canadian) and suddenly website activity stopped, but six months later it started again.

(more later)

A little noticed bit of computer security

Posted on December 10, 2012 by erik

A while back this very strange thing happened.

A few men with beards entered the United States, shaved, went to a strip club and then flew airplanes into buildings.

I know this happened because I saw it from sixth avenue somewhere between West 4th Street and Houston. People who did not see this sometimes try to tell me it was some sort of conspiracy but I am very sure I saw this because this is one of those things that is impossible to forget. My perception was a bit off though because I thought people jumping out of the North tower were birds and I almost wish I still believed that today, but I do not.

Anyway, things were weird after that. People walked around with this expression on their face that looked like they could either burst into tears at any moment or that they were going to start screaming until someone gave them Haldol. During this time of contorted faces there was also a time where self styled “Internet Vigilantes” would target Muslims, people who opposed targeting Muslims, and “Liberals” (said by people who use the term liberal like they use the term faggot; not meaning a bundle of sticks). It was quite revolting but the climate was such that it was very difficult to do anything. I once got a death threat online for opposing the use of Neutron bombs to wipe out Muslims (in hindsight that was a discussion where I should not have tried to use calm, collected facts). Some of the people doing this targeting were self described “hackers” and so some friends and myself went to work opposing them but we did so in secret. Like most bullies, these people had no problem asking authorities to back up their menacing and the environment we were in then made it so the authorities would most likely help them.

So, we had a team together. I am not even sure what you would call us but perhaps it is something that is best not to be named. I did research and tracking, another friend of mine found and then baited the targets to attack and another fellow, named Kevin Bacon (not the actor but he used his famous namesake to make sure he never appeared on a google search) did damage control by use of his law enforcement connections to realize that the people carrying out the cyber attacks and harassment were more akin to terrorists than American Muslims and anti-War activists. (I use Kevin’s name because he is no longer with us. He died sometime in 2010 but it is hard to get the information since googling “Kevin Bacon” and “Died” does not produce anything useful).

One group we did (not naming names though I can via private correspondence) took us about four years to end. It was simply because we were patient and not that we were slow or clueless. Many of these kinds of people have such short term memories that they assume if they were not arrested right after the incident then that meant they were safe. This group of hackers actually had only one skilled hacker who, for some reason willingly did illegal things but he was terrified of the consequences. I caught him by contacting a System Administrator at a University in Singapore that was a favorite proxy of the group. At first he was a bit cocky with me, denying the existence of the proxy and then admitting he set it up for “friends only” and when I named dropped a school administrator who would have been his supervisor he became incredibly cooperative. I was delivered log files for the proxy for the times of the attacks I was researching. I gave the IP of the user to Kevin, and Kevin called up an ISP after one of his Law Enforcement contacts called the ISP and told them to expect Kevin’s call.

So we got a name tied to four years of death threats and four years of various cyber attacks. When you contact someone like this they go through a “Stages of Death” like Elizabeth Kubler Ross wrote down so many years ago.

1. Denial & Anger (lots of threats ranging from violence, lawsuits, and police involvement)

2. Bargaining (there is one word you can say..for this one is was “Singaporean Proxy Logs” that gets them to calm down and try to negotiate)

3. Depression (when you inform them that the only way nothing will happen to them is to do exactly as you say…this really bums them out)

4. Acceptance. (they agree to your terms and become happy because it is inevitable)

This fellow gave up and paid restitution (plus interest that we set at 10%) to those we tracked down and he ratted out all of his friends and told us everything about them.

All this because of 9/11 and I am certain there were similar groups doing similar attacks then too…..But that was a lot of fun. I love doing this sort of work but it is really difficult to put in a resume.

Mutum cogitationes ex homo intelligens

Erik Solomonson: Stuff I have done, places I have been and people I have met

Category Archives: Computer Security