Hacker Penetrates T-Mobile Systems 396
An anonymous reader writes "SecurityFocus.com reports 'a sophisticated computer hacker had access to servers at wireless giant T-Mobile for at least a year, which he used to monitor U.S. Secret Service e-mail, obtain customers' passwords and Social Security numbers, and download candid photos taken by Sidekick users, including Hollywood celebrities.' Demi Moore and Paris Hilton are involved."
linkie? and recruitment (Score:5, Insightful)
Okay, all my Karma points for a link.
The same source also offers an explanation for the secrecy surrounding the case: the Secret Service, the source says, has offered to put the hacker to work, pleading him out to a single felony, then enlisting him to catch other computer criminals in the same manner in which he himself was caught. The source says that Jacobson, facing the prospect of prison time, is favorably considering the offer.
As much as we make fun of the computer knowledge of our governments, they finally seem to be on the right track. You must have some of these guys in your pocket to really have a chance. Can you trust them? Probably not completely... but if they bring you some knowledge, skills, and some of the most damaging players, then it's worth it.
The News (Score:5, Insightful)
Some days I'm proud to be american, but then the drugs wear off.
But how could he NOT get caught? (Score:5, Insightful)
So... let's say that I want to patronize his obviously grossly illegal service. How do you consummate a transaction like this? Cash in a Fedex envelope? Sent to whom? A P.O. box?
Who performs first? Are there criminal escrow services?
And how stupid do you have to be to take out an ad online, in a known criminal hangout, announcing your secret power, and providing contact info?
Is there something I'm missing here?
No, really.
Comment removed (Score:5, Insightful)
Are budget cuts that severe? (Score:5, Insightful)
What's next? The FBI, CIA, etc is compromised while using hotmail, Yahoo, or Google mail?
Are Gov IT cutbacks so severe they have to turn to places like this to send messages?
Re:Hmm... (Score:3, Insightful)
Re:linkie? and recruitment (Score:3, Insightful)
Re:Not-so Secret Service (Score:5, Insightful)
A lot of people have crazy delusions that secret agencies live in some far off technical wonderhome, where all communications are encrypted with some super 733t MD67 algorithm never before seen by any other person in the world, all access is controlled by handprint and retinal scan identification and everyone walks around with James Bond gadgets in their pockets. It's just not so. These people live and work in normal offices and normal homes and deal with the same crappy, bug-ridden and insecure hardware and software that the rest of us do. It's probably a bit better than your normal corporate office, but not by much.
standards board (Score:4, Insightful)
Re:standards board (Score:2, Insightful)
There is always going to be some enterprising person that can get by any measure of security that you put in place, so setting up more buercracy to look at standards just makes it easier, because now the world knows how you store/protect data and thus makes it easier to find exploits.
Re:Not-so Secret Service (Score:3, Insightful)
Are you new here? (Score:5, Insightful)
This is also the same country where we gave a dictator the technology and biological weapons to kill his own people by the tens of thousands, and used that as a reason 15 years later to depose him.
Get used to it.
Re:Not-so Secret Service (Score:3, Insightful)
No wonder this is being kept quiet (Score:2, Insightful)
A few replies to this posting have expressed surprise that SS agents use commercial wireless accounts, but how else could they send information to and from the field wirelessly? A few more have suggested that the compromised SS data may just be intra-agency chit-chat, but a couple things suggest that may not be so.
First of all, the nature of the documents that were leaked in the IRC chat - one is described as an "internal memo", and the other is probably a treaty with the Russians to share criminal information. No details are given re the content of the memo, but it could have been extremely damaging to a case in progress. And the treaty is probably not sensitive in and of itself, but its presence could tip off Russian computer criminals to watch their backs.
Now, the guy whose account was raided for this info is a recent celebrity for taking out a previous hacker. It would probably be extremely embarassing to the agency for his goof to be exposed like this.
And then there's the fact that this MASSIVE series of criminal acts is being written down to just a single felony... and they're giving the guy a job!
Now I don't want to sound like a conspiracy theorist, but it seems likely to me that this dude got off (and got a job!) so light not for his m4d-l33t h4x0r skills, but because of the potential embarrasment to the service, and the damage the publicity might do to other cases. It seems the lesson here is that it doesn't matter what crime you commit online, or on what scale, as long as you:
The precedent that these two points set is worrying. Crackers are annoying when they deface websites, bring down servers or spread virus-like software - but it's only a few hours annoyance (a week at the most), then the problem passes (for most people). Once crackers get the message that the clowns get stiff fines and the real dangerous people get off light (plus get a lot more out of it if they don't get caught), it would seem to make sense to stop "tagging" or writing viruses and go for the big game. Furthermore, the cops become a very attractive target, which could compromise many more, unrelated cases.
So the message as I read it is: "Don't be a script kiddie, crack the FBI! If you get away with it you get rich, and if you get caught you get a job."
Both the Secret Service and T-Mobile should be publicly shamed for the debacle, and the response, if only it wouldn't risk compromising other cases.
Re:linkie? and recruitment (Score:1, Insightful)
Even Hung Out On UnderNet? (Score:5, Insightful)
Who performs first? Are there criminal escrow services?
This page [securityfocus.com], linked in the posted article, has some explanation about how they traded:
"The 4,000 Shadowcrew members were participants in an underground economy capable of providing a dizzying array of illicit products and services. The most active commodities were "dumps" of credit card account data, fake physical cards to go with the dumps ($50 blank, $70 embossed, in bulk), and expertly forged identification to help pass the plastic at the local consumer electronics store. Credit reports, hacked online bank accounts, and names, birthdates and social security numbers of potential identity theft targets were also for sale in bulk.
Each product had its own specialists, and every vendor had to be reviewed by a trusted site member before they were allowed to sell. Disputes were handled judiciously, "rippers" selling bunk products quickly exposed and banned from the site. In one case a vendor who owed another member money was allowed to continue selling only on the condition that his future illicit earnings would be garnished until his debt was repaid..
Members of the community even traded in tangible items like ATM skimmers, prescription drugs, and cocaine, and services like DDoS for hire and malware customization. One well-reviewed vendor offered a test-taking service that promised to get customers technical certifications within days. He was permitted to vend after earning the reviewer a Microsoft MCP certification under an alias."
And how stupid do you have to be to take out an ad online, in a known criminal hangout, announcing your secret power, and providing contact info?
Um, dude, have you ever hung out on undernet? All sorts of shady shit happens there. I've known friends who knew people from online chatrooms who hijacked business conference call lines and made them available to entire chatrooms as a group conference voicechat line. Warring chatrooms would even appear and try to make the line unusable. I thought it was moronic (they even called from their home and work phones for God's sake!), but I think people aren't used to the internet's topology. The lack of a physical police presence makes people pretty confident and reckless - you're not there, so they can't just arrest you on the spot, which eliminates most of the anxiety in any crime (smoke weed in a public park and your house and compare your reactions). Even worse, because of the nature of the internet, the police don't need a physical presence to monitor any of it, so criminals can't just look over and notice that shady van across the street. The lack of these real-world reminders makes for bad heuristic judgments. You'd think hackers would be the first to notice that their lack of fear is due to this sort of fallacy, but from the article, it's clear that some don't.
Don't get me wrong - I'm not saying that it's easy to catch people committing crimes online. It's extremely difficult. GHB kits thrived online, and I'm sure if you still looked you could find products ostensibly marketed for other reasons that are just clandestine GHB kits on google (that's the only example you get, but you'd all be fucking shocked if you knew just how many drugs are sold online with Visa and paypal). If you take only the most obvious precautions, it's many times harder. Something as simple as using a proxy and encryption from a "borrowed" wireless connection can make criminals almost undetectable. Many of us use one of the three reguarly. How hard is it to combine them?
The police can't monitor everything. Even if they devoted the resources to looking for this sort of thing, how many people know the magic combinations of words and searching techniques that let them
Re:Hmm... (Score:3, Insightful)
The government does this all the time in organized crime and drug cases. Look at a guy like Sammy "The Bull" Gravano. He killed god knows how many as a member of the Gambino family not to mention a list of other crimes a mile long but was given a slap on the wrist and a new identity for turning states evidence.
Nothing new here.
Re:linkie? and recruitment (Score:3, Insightful)
Re:Demi Moore and Paris Hilton are involved. (Score:4, Insightful)
Wealthy
Thin to the point of being unhealthy
High Libido
Slutty
Blond
Dumb as a post.
As a result, the media HAS to go nuts about her, because toothpicks like her are the kind of trash they've been throwing at us for ages.
Re:His Resume is posted online ! (Score:2, Insightful)
So basically, some script kiddy gets luckky and finds a router with the default password set and wreaks havoc. Nice to know the Telecom business is paying attention to security.
A chain is as strong... (Score:3, Insightful)
(This event could be called "backdoor", couldn't it?)
Re:linkie? and recruitment (Score:3, Insightful)
See the case of the chinese woman who had a 20 year affair with a FBI agent. She was spying on the Chinese, for the FBI, and they paid her 1.7 million. Then the FBI got an interesting notion that she might be spying for the chinese, so they dragged her in court. Of course, the prosecution screwed up and the judge dismissed the case for infringement of her constitutional right. (that was in the paper a couple days ago).
All this to show that the US government is not above giving lots of money (if for 20 years, 1.7 million is 85,000 a year, and I bet she did not pay taxes on that (what whould she put under profession?)).
What the chinese used as a lever, if indeed they used her (she might have been a throwaway agent (read last chapter of The Art of War)), might also have been money (they have lots), since it obviously worked as a lever for her.
As far as keeping them blackmailed, that's very very bad. It is very easy for foreign agents to turn such elements over. They say something like: We'll fake your death, you move to japan, give you an interpreter/girlfriend (here's her picture: Yowza!) and a beautiful house on the hill, with internet and computers, and 140,000 a year for 10 years. After that, you're free to go as you please. Think about it, you can get back at the SS for making you miserable. And you'll be helping mankind by keeping the balance of power so that there is no war.
You think the CIA was born yesterday? (well, actually, under Bush Jr, it's being strangled to death now) They know their stuff. perhapes not as well as the russians or the chinese, but they do know their stuff. They would not be stupid enough to blackmail the guy. They want to make him think they saved his life from being the cig trade.
Re:Demi Moore and Paris Hilton are involved. (Score:3, Insightful)
Mind you, I don't for a moment think this is the result of any kind of organized conspiracy. This is the logical consequence of about a century and a half of advertising campaigns telling us ways we're "not good enough."
Toys like Barbie don't help matters much. I won't speculate about the motives behind the people who created the doll and it's proportions, but the end result has been a couple of generations of women growing up trying to look like that, and men growing up to expect women to look like that.
One of the replies to your post was from someone who finds Paris attractive. I'm sure there's a percentage of people who are just naturally hard wired for those preferences, but given the fact that Paris' body isn't really capable of supporting a pregnancy without medical aid, I doubt she matches the image of what we EVOLVED to prefer.
This advertising based image of the "ideal" is older than anyone alive today, and has become so ingrained that most people think its "normal" to find such an absurd image attractive, and even grow hostile towards those who imply otherwise.
Actually, given the photos I've seen of Paris, and the statistics I've read (Some VERY thin friends are having kids) her chances of having a child with birth defects are a few orders of magnitude greater than the average American's. Having so little weight probably makes it difficult to carry a fetus to term and provide it the nutrients it needs to develop properly.