Secret Service BBS raids from the other perspective

I’ve written in the past about the Feds busting people using BBSs for nefarious purposes in the early 1990s. But the only stories I’ve ever heard were from the perspective of the people who got busted, often second or third hand.

Here’s a story from the side of someone who helped the Secret Service for three days in the 1980s.

Read more

Was California Republican Tony Krvaric Strider of Fairlight?

A story today about the possibility that a prominent California Republican, Tony Krvaric, was once a co-founder of the Commodore 64 warez group Fairlight caused an uproar on Slashdot today. The claim said Krvaric went by the handle of Strider.

Reading it brought back some memories.

Read more

What to do when you\’ve been ripped off in a buy/sell forum

I’ve spent the last week chasing a scammer, because I’m a sucker for a good story. I have that story, but I’m not happy with it.

In the meantime, there’s definitely a need for a procedure to follow if you make a deal on a forum or bulletin board and never receive the promised merchandise.There are several things that you can and should do. The laws are slippery, and in the case of the scammer I’ve been watching, he seems to be pretty careful to keep his fraud under certain thresholds to stay in operation. So you need all the help you can get.

First, gather information. Find the address where you sent your item or payment. Have descriptions of the item(s) you sent and the item(s) you expected to receive, along with fair market value. If you have Paypal receipts or anything like that, print those out. If you have addresses, phone numbers, or any other information, get that too. Finally, if you have an address or phone number, do a Google search to find your trading partner’s local police department.

If your trading partner has ripped off other people and other people are complaining about it, take evidence of this along.

Take all of that information to your local police department and ask to file a complaint. The procedure varies from department to department. An officer might interview you, or there might be a form you can fill out. Whatever it is, be nice and cooperate with them. These guys are on your side, but the more pleasant you are to work with, the more likely they’re going to be to be willing to go the extra mile for you.

Ask if they’ll contact your trading partner’s local police department, or if you need to do that. If you need to do it, call the other police department and give them all the information they ask for. Most likely, your local police department will make contact because they’ll need to work together.

Next, get the feds involved. Some of these guys get away with what they do because their scams involve small amounts of money. But if you mailed your package or payment through the U.S. Postal Service and the person scammed you, now the person is also guilty of mail fraud, which can make a minor crime more serious.

You can report mail fraud by filling out a USPS form online. The process is simple and only takes a few minutes.

Take the time to do this, because there is one scammer out there who’s been getting away with fraud for at least four years, primarily because he seems to be careful to keep the value each transaction low enough. So you need all the extra help you can get.

I don’t know why five $200 ripoffs don’t equal one $1,000 ripoff. That’s a question for the police.

Finally, contact the FBI Internet Crime Complaint Center. This may or may not help you, but it will help other victims.

Of course you should also contact the administrators of the forum where the deal took place, but all they can do is ban the account. The scammer probably doesn’t care; he’ll be on another forum next week under a different name anyway.

It seems like part of the reason people are able to get away with these schemes is because discussions about them quickly degenerate into flamewars, sometimes with the scammer himself doing everything he can to fan the flames. Then the moderators close the thread or delete it, and then no constructive dialog can take place. Then the scammer just moves on to another forum, where he has no history and is free to do it again.

Talking about it is fine. The problem is, the topic of contacting the authorities usually comes up too late in the discussion, so a lot of people don’t think about it. If they think about it, they might not know where to start.

If you’ve been scammed, please contact law enforcement. The authorities may or may not be able to help you get your stuff back, but if enough people act, they can put a scammer out of business, so other people don’t fall victim to the same scheme you did.

Permission is granted to copy the contents of this post, either in part or in full, to bulletin boards, forums, and personal web sites as long as you provide a link either to https://dfarq.homeip.net/article/20070720124023117 or, if you prefer, to https://dfarq.homeip.net.

Have you noticed your inbox is lighter lately?

The FBI nailed Alan Ralsky.

Ralsky’s reaction? “I’m not a spammer. I’m a commercial e-mailer.”

In other news, Marion Berry doesn’t go to strip bars. He goes to erotic clubs.Ralsky, if you’re not familiar with him, is one of the more prolific spammers in the world. And while some people sympathize with him since sending spam seems to be the only way he can make a living, the fact is that spam hurts everyone. It wastes your time–the lost productivity dealing with spam has been valued at anywhere from $9 to $22 billion–and it hurts your ISP too.

I know someone who administers mail servers for one of the largest cable companies in the United States. The upgrades to its mail servers cost six figures when they have to do it. This past week he described the situation with spam and worms as “SETI@Home in a DDoS attack against mail.ispname.net.”

If you want to know why broadband Internet access doesn’t cost $5 a month, you can blame people like Ralsky.

Defenders say Ralsky didn’t break any laws. But according to various anti-spam laws, you disguising the origins of your mail is illegal, and Ralsky has been guilty of this. To me, this rings of jailing Al Capone for tax evasion. Another question to ask is whether Ralsky has hawked pornography to underage children and whether he has ever hawked prescription drugs. If he had set up a table on a streetcorner and done either of those things, he would have landed himself in jail. If it’s illegal on the streetcorner, it ought to be illegal online. Especially because if he were doing it on the streetcorner, he’s only using a small parcel of public land. When he does it online, he’s utilizing thousands of computers that don’t belong to him.

I was glad when thousands of people signed Ralsky up for every junk-mail list they could find. It told a lot about his character when he remained defiant afterward. Filling his mailbox with junk was wrong, yet he saw nothing wrong with filling out e-mail boxes and he continued to do so.

Someone else will rise to take his place, but it will take time to learn his tactics, and in the meantime, anti-spam tools will get better.

The reason spam works is because somebody buys stuff from it. It might be one out of a thousand, or one out of a million, depending on who you believe. But it doesn’t take much more effort to blast out 3 million messages than it takes to blast out 3 thousand. It’s an attractive business because someone who’s unable or unwilling to do other work can get started with little or no expense, using equipment he or she probably already owns. It’s safer than, say, trying to sell stuff on Ebay. If I list a big pile of stuff on Ebay and it doesn’t sell, I owe listing fees–probably around 30 cents–on each item that doesn’t sell. Plus I’m stuck with that item and out whatever I paid to get it. But if I blast out a bunch of spam and nobody bites, I haven’t really lost anything, except maybe my ISP suspending or discontinuing my service.

The courts need to make an example of Alan Ralsky. Meanwhile, the FBI needs to go find a few of the other big fish in this pond and do the same.

What the press doesn’t want to tell you about Kaycee

Dan Bowman forwarded me a string of e-mail yesterday that raised a number of questions about the press. Apparently there is at least one reporter trying to find out how many people gave gifts to “Kaycee,” and that’s raising some concerns. Why? And why does the reporter want names and phone numbers? And how do you know if the guy’s legit or if he’s making some kind of sucker list?
Being a former reporter myself, Dan solicited my opinion. Maybe he figured a former reporter would recognize one of his own. And I do.

One concern was the reporter’s apparent use of a free e-mail address. This doesn’t cause me any great concern. Not all newspapers have a mail server because not every newspaper can afford to pay a mail administrator–or maybe they’re just not willing to justify keeping a full-time IT guy on hand who’d make more than the editor in chief. Plus there’s the portability issue–use a free, Web-based mail service, and you can read your mail from anywhere with Web access. No need to mess with VPNs or direct dialins or any of that nastiness.

Another concern is why does the reporter want a phone number. Practicality is one issue; a five-minute phone conversation can glean far more information than a mail conversation that takes all day. And the reporter probably wants to hear your voice; the sound of your voice tells a lot. The reporter can’t print that information, usually, but that gut feeling provides valuable guidance. Plus the reporter needs to verify that you really exist, which is something that anyone who had any contact with “Kaycee” will understand.

But if the reporter were any good, he’d be able to track you down, right? You bet he could. But that’s ruder than establishing contact via e-mail. You want the source to be as comfortable as possible. Plus it takes time to do that. In something like this, you’ll cast a wide net as painlessly as possible. If I were writing this story, my very first step would be to go to Weblogs.com, do a search on “Kaycee,” and when I find sites that mention her name a lot, I’d read the posts to get an idea of whether there was any relationship, and if I find any indication, e-mail that person. I may e-mail 100 people. But it only takes three sources to make a story.

Will the reporter honor your wishes, like not printing your full name, or your real name? Quite possibly. I know MSNBC’s Bob Sullivan knew Julie Fullbright’s identity. (Bob taught one of my journalism classes way back when, back when he was a grad student at the University of Missouri. I e-mailed him after his story hit the Web.) He didn’t publish her name–he said her identity couldn’t be confirmed at press time. A white lie? Kind of. But I know Bob didn’t knock on Julie’s door and confirm it. I don’t know whether he called her on the phone and asked if the pictures were her yet still chose to say her identity was unconfirmed. Bob said he wanted to protect her privacy, and knowing Bob, I take him at his word on that. If this was going to turn into a three-ring circus in the press, Bob didn’t want to be the ringmaster. Once her identity became common knowledge, you started seeing her mentioned by name in the news too, and not just on the Weblogging sites.

Chances are very good that the reporter(s) will talk to dozens of people and probably run the best quotes he gets from some of them. For example, I found a nugget in one of Dan Bowman’s messages: “Shelley would really like to know who ate her cookies.” Yes, on one level that’s funny. But baking cookies for someone is a fairly universal act of love, and just about all of us–even baking-challenged superbachelors–can understand the feeling of betrayal when you bake up a batch of cookies and send them to someone, then find out they never got to that person. And if that person didn’t exist at all, it hurts even more.

If you feel like you should give the reporter a piece of information but don’t want to be quoted, use the phrase “off the record.” Most reporters honor that. If you can give them someone else who’ll corroborate what you say, the reporter is even more likely to honor it. Even if that someone else wants to remain anonymous, once three people say something, a reporter can pretty much count it as fact. And since there is some danger of retribution, a reporter will honor that. Most reporters have a soft spot in their hearts for people in danger.

I know you’re nervous about talking about this with a reporter, because I was a crime reporter. Being taken for money is one thing. People don’t like to talk about that because they don’t like to think of themselves as suckers. I know that. Any reporter you’re likely to talk to knows that. But being taken for love is entirely different. People are far less likely to talk about that. Any reporter you’re likely to talk to knows that too. All too well. He or she isn’t likely to do anything to hack you off when good sources are hard to find.

Why is the press taking this angle? Well, the root word of the word “news” is “new.” This is a very old story by news standards. This is the only angle left to take, and the national media has probably stopped caring. If it turns out that more than $1,000,000 worth of gifts were sent to Kaycee, then it’ll become a national story again. If a few hundred people sent postcards and cookies and trinkets, I doubt you’ll hear about it anywhere but in Kansas and Oklahoma newspapers. But in rural Kansas and Oklahoma, anything new that comes about in this case is news.

Why can’t the reporter just read your Weblog? There’s a decent chance s/he already has. But the reporter will want to know how you feel about this now. (That “new” thing again.) And no one wants to print exactly the same quote some other paper did. If you interview the person yourself, your chances of having verbatim quotes lessen.

Is the reporter in cahoots with the FBI or local law enforcement agencies? Probably not. That would be a conflict of interest. It crosses the boundary between reporting news and creating news.

And how can you tell if a reporter is legit? Do a Web search on the reporter’s name. Chances are it’ll show up somewhere. I did a Google search on the reporter’s name in this case, and the first hit had his name, his employer’s name, his editor’s name, and his newspaper’s phone number. If worse came to worse, I could call that number and ask for him. If he’s not there, you can ask whoever answers the phone if the reporter is working on a story along those lines. There’s no guarantee that person will know, but reporters do talk to one another, and future stories do come up in newsroom meetings.

Hopefully that helps people see this thing from a reporter’s perspective. And I suspect that’s probably the last I’ll talk about Kaycee here–the story seems to be losing momentum and people seem to be moving on. And that’s a good thing.

We can’t give hackers anything else to work with

Thanks to David Huff for pointing this link out to me (the good Dr. Keyboard also passed it along). Steve Gibson was hacked last month, and he wasn’t very happy about it. So he set out to learn everything he could about l337 h4x0rs (elite hacker wannabes–script kiddies). What he found out bothers me a lot.
Kids these days. Let me tell you…

In my day, 13-year-old truants (those who had computers and modems) used their modems to dial 800 numbers over and over again long into the night, looking for internal-use-only numbers. Armed with a list, they then dialed every possible keycode combination looking for PINs. Then they’d use that information to call long-distance on the telco’s dime. They’d call BBSs, where they’d swap the previous night’s findings for more codez, cardz (credit card numbers), warez (pirated software), or porn.

I never did those things but I knew a lot of people who did. They’d drop off the face of the earth on a moment’s notice, and rumors would go around about FBI busts, computer equipment being confiscated, kids being hauled off to juvenile detention center… And some of them never came back. Some of them cleaned up. Others, who knows? I heard a rumor about one of them running away to Las Vegas after he got out. And some just got hold of their old contacts and went right back to business. One of my friends cleaned up–the huge phone bill he got was enough of a reality check that he stopped. Whether it was a moral reason or just fear of getting caught again, I don’t know. I knew another who got busted repeatedly, and he’d call me up and brag about how his line was tapped, throwing in the occasional snide remark to whoever else might have been listening. I remember our last conversation. He sent me some code (all of the guys I knew were at least semi-competent 6502 assembly language programmers) and we talked music. I’d been fascinated by that subculture, though I never did anything myself–I just talked to these guys (partly out of fear of getting caught, partly because I did want to have some semblence of a life, partly because I didn’t want to kiss up to a bunch of losers until I’d managed to prove I was elite enough), but at that point I was 16, I’d published once, and I realized as the conversation ended that my fascination with it was ending also. It was 1991. The scene was dying. No, it was dead and pathetic. These “elites” had become the butt of jokes–they were risking arrest so they could call Finland for free and pirate Grover’s Magic Numbers, for Pete’s sake! I guess I was growing up. And I never talked to him again. (I don’t even remember this guy’s real first name anymore–only his handle.)

I guess if I’m going to be totally honest, the only thing that’s really changed are the stakes. I want to say my generation wasn’t that bad… But I don’t know.

Essentially, some guy going by “Wicked” had zombies running on 474 Windows PCs. Some of “Wicked’s” buddies took issue with Gibson talking about script kiddies–they thought he was talking about them–so they told “Wicked” to take him down. And he did. And he bragged about it.


"we will just keep comin at you, u cant stop us 'script kiddies' because we are
better than you, plain and simple."

Now, when someone annoys me, I find out what I can about the guy. At 26, I do it to try to get some understanding. At 13 I didn’t necessarily have that motivation, but I did at least have some basic respect. And anyone claiming to be better than Steve Gibson… Gimme a break! That’s like walking up to Michael Jordan and saying you’re better on the basketball court, or walking up to Mark McGwire and saying you can hit a baseball further, or walking up to Colin Powell and telling him you can beat him in a war. And anyone who’s ever written a line of assembly language code and read any of Steve Gibson’s stuff knows it. And it’s not like the guy’s exactly living in obscurity.

Well, Gibson was diplomatic with this punk. And his reasoning and his respect softened him. He called the attacks off. Then they suddenly started again, and Gibson got this message:


is there another way i can reach you that is secure, (i just ddosed you, i aint stupid, im betting first chance ud tracert me and call fbi) you seem like an interesting person to talk to

Say what? You want to talk to someone, so you blow away every other line of communication and ask if you can talk? Now I can just picture this punk once he gets up the nerve to go talk to a girl. He knocks on the door, and the first words out of his mouth are, “I just tesla coiled your phone line so you couldn’t call the cops, but…” Then he’d toss some Kmart pickup line every girl’s heard a million times her way, and hopefully she’d smack him and run to the neighbors’ and call the cops.

For some reason people get hacked off when you do something malicious to them.

Well, Gibson reverse-engineered some Windows zombies and followed them into a l33t IRC channel where he had another interesting conversation. I won’t spoil the rest of it.

Now, I admit when I was 13, I was a mess. I was insecure, and I had trouble adjusting. My voice was cracking, my skin was oily, and I was clumsy and gawky. And I didn’t like anyone I knew when I was 13, because I was the class punching bag. Part of it was probably because I was an outsider. This was a small town, and I wasn’t born there, which was a strike against me. If you got all your schooling there you were still OK. I came in the third grade, so strike two. And I didn’t want to be a hick, so strike three. I liked computers, and in 1987 that was anything but cool, especially in a small town. And everyone thought I was gay, because I didn’t hit on girls and I didn’t have a huge porn collection–and there aren’t many worse things to be in southern Missouri, because it’s still a really bigoted place (and since girls made me stammer, it’s not like I could have proven I was straight anyway). And I had goals in life besides getting the two or three prettiest girls in the class in bed. (Yes, this was 7th grade.) So I guess I was oh-for-two with two big strikeouts. And since I was five feet tall and about 90 pounds, if that (I’m 5’9″, 140 now, and I was scrawnier then than I am now) I couldn’t exactly defend myself either. So I was an easy target with nothing to like about me.

I guess “Wicked” sees Steve Gibson as a five-foot, 90-pound outsider with a really big mouth, so he’s gonna go pick on him. Then he’s gonna go hit on the 13-year-old girl who looks 18, and he thinks taking down grc.com is going to make her swoon and tell him to take her to bed and lose her forever. But since she has a life, she doesn’t give a rat’s ass about whether grc.com is up or down, so hopefully she’ll smack him but I doubt it.

Yeah, I want to say the solution is to make things like they were in 1987 but bullies are bullies, whether it’s 2001 or 1987 or 1967. AD or BC, for that matter.

I want to say that accountability to a higher being will solve everything and make kids behave, but I know it won’t. That grade-school experience I just described to you, with 13-year-olds making South Park look tame and trying to get in girls’ pants? You know where that happened? A Lutheran grade school. Introducing the kids to God won’t fix it. Establishing a theocracy won’t fix it. In college I wrote a half-serious editorial, after a pair of 6-year-olds in Chicago murdered a four-year-old by dropping him out of a 20th-story window after he refused to steal candy for them, where I advocated the death penalty for all ages–maybe then parents would keep an eye on their kids, I reasoned. But I know that won’t fix anything either.

Steve Gibson doesn’t offer any answers. He’s not a social engineer. He’s a programmer–probably the best and most socially responsible programmer alive right now. And what Gibson wants is for Microsoft to cripple the TCP/IP code in Windows XP, so the zombies these script kiddies use don’t gain the ability to spoof come October.

Frankly, I wish such a castrated TCP/IP stack, with raw sockets capability removed, were available for Linux. My Linux boxes are a minimal threat, being behind a firewall and only having a single port exposed, but I’d cripple them just to limit their usefulness to a script kiddie just in case.

Why? Screw standards compliance. The standard for mail servers used to be to allow them to be wide open so anyone could use one, just in case their mail server was down. It was all about being a good neighbor. Then spammers trampled that good faith, so open relays are now the exception, not the rule.

Maybe there’s some legitimate use for raw sockets. I don’t know. But I know nothing I use needs them. So why can’t I run a stripped-down TCP/IP on all my boxes, so that in the event that I do get compromised, my PCs’ usefulness is limited?

If software companies want to provide a full, standards-compliant, exploitable TCP/IP stack for esotetic purposes that need them, fine. Do it. But don’t install it by default. Make it a conscious decision on the part of the systems administrator.

Let’s just get one myth out of the way. The Internet isn’t going to change the world. So when the world does stupid things, the Internet’s just going to have to change instead.

WordPress Appliance - Powered by TurnKey Linux