This morning I received an email, sent to a list of people (I assume). The subject of the email was “Computer Hacker’s service needed” and the contents indicated that the sender was seeking someone to trace back to the sender of some enclosed email. The email in question? The pernicious spam email purporting to be from someone who has been given a contract to murder the recipient, but on reflection will not do the deed if offered a sum of money.

This form of spam is well-known in most of the security and law enforcement communities, and there have been repeated advisories and warnings issued to the public. For instance, Snopes has an article on it because it is so widespread as to have urban legend status. The scam dates back at least to 2006, and is sometimes made to seem more authentic by including some personalized information (usually taken from online sources). A search using the terms “hitman scam spammer” returns over 200,000 links, most of the top ones being stories in news media and user alert sites. The FBI has published several alerts about this family of frauds, too. This is not a rare event.

However, it is not that the author of the email missed those stories that prompts this post. After all, it is not the case that each of us can be aware of everything being done online.

Rather, I am troubled that someone would ostensibly take the threat seriously, and as a follow-up, seek a “hacker” to trace the email back to its sender rather than report it to law enforcement authorities.

One wonders if the same person were to receive the same note on paper, in surface email, whether he would seek the services of someone adept at breaking into mail boxes to seek out the author? Even if he did that, what would it accomplish? Purportedly, the author of the note is a criminal with some experience and compatriots (these emails, and this one in particular, always refer to a gang that is watching the recipient). What the heck is the recipient going to do with someone—and his gang—who probably doesn’t live anywhere nearby?

Perhaps the “victim” might know (or suspect) it is a scam, but is trying to aid the authorities by tracing the email? But why spend your own money to do something that law enforcement is perhaps better equipped to do? Plus, a “hacker” is not necessarily going to use legal methods that will allow the authorities to use the results. Perhaps even more to the point, the “hacker” may not want to be exposed to the authorities—especially if they regularly break the law to find people!

Perhaps the victim already consulted law enforcement and was told it was a scam, but doesn’t believe it? Well, some additional research should be convincing. Plus, the whole story simply isn’t credible. However, if the victim really does have a streak of paranoia and a guilty conscience, then perhaps this is plausible. However, in this case, whoever is hired would likewise be viewed with suspicion, and any report made is going to be doubted by the victim. So, there is no real closure here.

Even worse, if a “hacker” is found who is willing to break the rules and the laws to trace back email, what is to say that he (or she) isn’t going to claim to have found the purported assassin, he’s real, and the price has gone up but the “hacker” is willing to serve as an intermediary? Once the money is paid, the problem is pronounced “fixed,” This is a form of classic scam too—usually played on the gullible by “mystics” who claim that the victim is cursed and can only be cured by a complicated ritual involving a lot of money offered to “the spirits.”

Most important—if someone is hired, and that person breaks the law, then the person hiring that “hacker” can also be charged under the law. Hiring someone to break the law is illegal. And having announced his intentions to this mailing list, the victim has very limited claims of ignorance at this point.

At the heart of this, I am simply bewildered how someone would attempt to find a “hacker”—whose skill set would be unknown, whose honesty is probably already in question, and whose allegiances are uncertain—to track down the source of a threat rather than go to legitimate law enforcement. I can’t imagine a reasonable person (outside of the movies) receiving a threatening letter or phone call then seeking to hire a stranger to trace it back rather than calling in the authorities.

Of course, that is why these online scams—and other scams such as the “419 scams” continue to work: people don’t think to contact appropriate authorities. And when some fall for it, it encourages the spammers to keep on—increasing the pool of victims.

(And yes, I am ignoring the difficulty of actually tracing email back to a source: that isn’t the point of this particular post.)

 

I take some of the blame for helping to spread "no security through obscurity," first with some talks on COPS (developed with Dan Farmer) in 1990, and then in the first edition of "Practical Unix Security" (with Simson Garfinkel) in 1991. ... The origin of the phrase is arguably from one of Kerckhoff's principles for strong cryptography: that there should be no need for the cryptographic algorithm to be secret, and it can be safely disclosed to your enemy. The point there is that the strength of a cryptographic mechanism that depends on the secrecy of the algorithm is poor; to use Schneier's term, it is "brittle": Once the algorithm is discovered, there is no protection (or minimal) left, and once broken it cannot be repaired. Worse, if an attacker manages to discover the algorithm without disclosing that discovery then she can exploit it over time before it can be fixed. The mapping to OS vulnerabilities is somewhat analogous: if your security depends only (or primarily) on keeping a vulnerability secret, then that security is brittle -- once the vulnerability is disclosed, the system becomes more vulnerable. ... One goal of securing a system is to increase the work factor for the opponent, with a secondary goal of increasing the likelihood of detecting when an attack is undertaken. By that definition, obscurity and secrecy do provide some security because they increase the work factor an opponent must expend to successfully attack your system. ... Every potential vulnerability in the codebase that has yet to be discovered by (or revealed to) someone who might exploit it is not yet a realized vulnerability. ... cases, there is little or no danger to the general public UNTIL some yahoo publishes the vulnerability and an exploit far and wide. ... The problem occurs when a flaw is discovered and the owners/operators attempt to maintain (indefinitely) the sanctity of the system by stopping disclosure of the flaw.

This new release of our testbed software provides users with full control of experimental PCs instead of being limited to running VMware images:

• Experimental PCs can be rebooted at will

• There is a LiveCD in the experimental PCs, which will take a root password that you specify before rebooting the PC

• Users are now able to replace the operating system installed by default on experimental PCs, and gain full control

• The host operating system for VMware is restored after an experiment.

This facilitates experiments with other virtualization technologies (e.g, Xen), or with operating systems or software that don’t interact in the desired manner with VMware.

When compared with other testbeds such as Deter, the differences are that:

• You should be able to run anything on ReAssure, that is compatible with the hardware; 

• You may try to attack the ReAssure testbed itself; 

• Malicious software should have great difficulty escaping the testbed (if not using exp01 and exp02, the computers set aside for updating images); 

• Your experiments using VMware images are portable; 

• You can take VMware snapshots; 

As before, you can still:

• Use complex network topographies for your experiments, with high bandwidth utilization on each (Gbit ethernet)

• Extend reservations or stop experiments at will;

• Use ISO images and VMware appliances; 

• Share image files

• Cooperate remotely with other people, and give them access to the PCs in one of your experiments

• Update your images from two of our experimental PCs that allow connections to the outside (exp01 and exp02)

Under the hood changes:

• The switch management now uses a UNIX domain server instead of a script started by cron.  This increases the responsiveness of the system, allows checking the state of the switch directly in real time, and allows self-test results to be displayed on the web interface (for administrators).

• The upload mechanism now uses a UNIX domain server instead of a script started by cron.  This increases the responsiveness of the system and allows self-test results to be displayed on the web interface (for administrators).

• The power state of the experimental PCs is controlled via IPMI (Intelligent Platform Management Interface) on an isolated network

Visit the project home page, the testbed management interface itself, or download the open source software.  The ReAssure testbed was developed using an MRI grant from NSF (No. 0420906). 

I have over 3000 entries in my online address book and card collection, and I no longer remember who half of them are, where I met them, or why....a note would have helped me in trimming the collection some. ... Furthermore, you can read the papers when on the plane during times that no electronic devices can be used, and you can write comments in the margin when you have a small fold-down seat tray that isn't large enough to hold an open laptop. ... Also, you are prepared when the airline asks for volunteers to be bumped to the next day in return for a free ticket -- that means you can save money on your grants for the next conference, or else use the free ticket to have a spouse/SO accompany you on a trip. ... Airline check-in people can give you a better seat or waive a change fee if you are nice, flight attendants will sometimes comp a drink or give you the last blanket, and hotel clerks can put you in a better room -- all if you are nice. ... At the end of the trip, the receipts get sorted into three piles: those that go to the university or sponsor for reimbursement purposes, those that go into my file for income taxes (all meal receipts, for example), and a pile I keep until I have been reimbursed and my frequent flier miles credited. ... Intel is one example -- over a 3 year period with 5 trips they never paid an invoice in less than 6 months, one took 10 months to reimburse, and I had to file as a business supplier to even get into their system! ... If you are flying to a conference on grant money, check on university policy -- most will cover the change fee or even the cost of the ticket so long as you commit to buying non-refundable tickets to keep costs low. ... Yeah, maybe you collect frequent flier miles by using that card, but it also may have an 18%-25% effective annual rate. if you are delayed getting a reimbursement, or it crosses the due date of the bill, you may be paying a hefty penalty for those miles. ... The taxes part is easiest -- keep the receipts and if your reimbursement gets included in a form 1099-MISC filed by your host, then you list the amounts as deductible business expenses (talk to a tax advisor for specifics -- don't depend on this blog!). ... It is all perfectly legal (although you may need to educate the clerks at the other end), has the same number of digits as your SSN, but it compromised it won't contribute to fraud committed with your identity.

I am an advisor to ThePrivacyPlace.  They do great work on privacy issues, and this annual survey is valuable—but only with a lot of responses.  So, please respond and share the link with others.

The following is their survey announcement.

ThePrivacyPlace.Org Privacy Survey is Underway!

Researchers at ThePrivacyPlace.Org are conducting an online survey about privacy policies and user values. The survey is supported by an NSF ITR grant (National Science Foundation Information Technology Research) and was first offered in 2002. We are offering the survey again in 2008 to reveal how user values have changed over the intervening years. The survey results will help organizations ensure their website privacy practices are aligned with current consumer values.
The URL is: http://theprivacyplace.org/currentsurvey

We need to attract several thousand respondents, and would be most appreciative if you would consider helping us get the word out about the survey, which takes about 5 to 10 minutes to complete. The results will be made available via our project website (http://www.theprivacyplace.org/).

Prizes include
$100 Amazon.com gift certificates sponsored by Intel Co.
and
IBM gifts

On behalf of the research staff at ThePrivacyPlace.Org, thank you!