Krebs Publishes 'Interview With the Guy Who Tried To Frame Me For Heroin Possession' (krebsonsecurity.com) 52
"In April 2013, I received via U.S. mail more than a gram of pure heroin as part of a scheme to get me arrested for drug possession," writes security reserch Brian Krebs. "But the plan failed and the Ukrainian mastermind behind it soon after was imprisoned for unrelated cybercrime offenses.
"That individual recently gave his first interview since finishing his jail time here in the states, and he's shared some select (if often abrasive and coarse) details on how he got into cybercrime and why... Vovnenko claims he never sent anything and that it was all done by members of his forum... "They sent all sorts of crazy shit. Forty or so guys would send. When I was already doing time, one of the dudes sent it...." In an interview published on the Russian-language security blog Krober.biz, Vovnenko said he began stealing early in life, and by 13 was already getting picked up for petty robberies and thefts... "After watching movies and reading books about hackers, I really wanted to become a sort of virtual bandit who robs banks without leaving home," Vovnenko recalled...
Around the same time Fly was taking bitcoin donations for a fund to purchase heroin on my behalf, he was also engaged to be married to a nice young woman. But Fly apparently did not fully trust his bride-to-be, so he had malware installed on her system that forwarded him copies of all email that she sent and received. But Fly would make at least two big operational security mistakes in this spying effort: First, he had his fiancée's messages forwarded to an email account he'd used for plenty of cybercriminal stuff related to his various "Fly" identities. Mistake number two was the password for his email account was the same as one of his cybercrime forum admin accounts. And unbeknownst to him at the time, that forum was hacked, with all email addresses and hashed passwords exposed.
Soon enough, investigators were reading Fly's email, including the messages forwarded from his wife's account that had details about their upcoming nuptials, such as shipping addresses for their wedding-related items and the full name of Fly's fiancée. It didn't take long to zero in on Fly's location in Naples. While it may sound unlikely that a guy so immeshed in the cybercrime space could make such rookie security mistakes, I have found that a great many cybercriminals actually have worse operational security than the average Internet user. I suspect this may be because the nature of their activities requires them to create vast numbers of single- or brief-use accounts, and in general they tend to re-use credentials across multiple sites, or else pick very poor passwords -- even for critical resources...
Towards the end, Fly says he's considering going back to school, and that he may even take up information security as a study. I wish him luck in that whatever that endeavor is as long as he can also avoid stealing from people.
"That individual recently gave his first interview since finishing his jail time here in the states, and he's shared some select (if often abrasive and coarse) details on how he got into cybercrime and why... Vovnenko claims he never sent anything and that it was all done by members of his forum... "They sent all sorts of crazy shit. Forty or so guys would send. When I was already doing time, one of the dudes sent it...." In an interview published on the Russian-language security blog Krober.biz, Vovnenko said he began stealing early in life, and by 13 was already getting picked up for petty robberies and thefts... "After watching movies and reading books about hackers, I really wanted to become a sort of virtual bandit who robs banks without leaving home," Vovnenko recalled...
Around the same time Fly was taking bitcoin donations for a fund to purchase heroin on my behalf, he was also engaged to be married to a nice young woman. But Fly apparently did not fully trust his bride-to-be, so he had malware installed on her system that forwarded him copies of all email that she sent and received. But Fly would make at least two big operational security mistakes in this spying effort: First, he had his fiancée's messages forwarded to an email account he'd used for plenty of cybercriminal stuff related to his various "Fly" identities. Mistake number two was the password for his email account was the same as one of his cybercrime forum admin accounts. And unbeknownst to him at the time, that forum was hacked, with all email addresses and hashed passwords exposed.
Soon enough, investigators were reading Fly's email, including the messages forwarded from his wife's account that had details about their upcoming nuptials, such as shipping addresses for their wedding-related items and the full name of Fly's fiancée. It didn't take long to zero in on Fly's location in Naples. While it may sound unlikely that a guy so immeshed in the cybercrime space could make such rookie security mistakes, I have found that a great many cybercriminals actually have worse operational security than the average Internet user. I suspect this may be because the nature of their activities requires them to create vast numbers of single- or brief-use accounts, and in general they tend to re-use credentials across multiple sites, or else pick very poor passwords -- even for critical resources...
Towards the end, Fly says he's considering going back to school, and that he may even take up information security as a study. I wish him luck in that whatever that endeavor is as long as he can also avoid stealing from people.
He's definitely not so fly... (Score:2)
... even for a white guy.
Re: (Score:2)
... even for a white guy.
He wanted a 13 but he got a 31 month jail term so he was not allowed to come out and play.
Re: He's definitely not so fly... (Score:2)
Gulag FTW!
Uncle Joe, you still got us beat, but we're comin' for you!
Being a criminal is hard work (Score:4, Interesting)
This proves again, that following a successful career as a criminal (or as a terrorist) is a lot harder than it appears.
While the law-enforcement can bumble across many tries to catch her (female pronoun for social justice), all the small mistakes add up in her disfavour. Also, as with everything, practice makes perfect.
So either she practices and gets it perfect sooner or later, making many mistakes on the way
- or she tries one single big coup, which has a higher chance of failing because of lack of practice.
This is what really protects society from crime and gives the police a fair chance.
Sorry, that is completely false. (Score:3)
As I said below:
The vast majority are never caught. Or even reported.
Law enforcement has a biased view because most criminals it is on to, are caught.
But for most crime, a suspect (or even a crime) is never identified, if you look at the statistics of crimes committed VS criminals caught.
But of course, every law enforcer with half a brain spreads the story, that most criminals are caught. In the hope that that already deters crime. It is an age-old demoralization tactic.
Statistics tell us something else tho
Re: (Score:2)
I think you are taking "the majority of crimes go unsolved" and then using it to assume that "the majority of criminals are not arrested", which is possible but unlikely. What you don't seem to be taking into account is that most criminals do more than one crime, and even when caught are unlikely to be punished, or even connected, to other crimes they have committed. Do some career criminals avoid arrest entirely? Undoubtedly, but the pattern you are more likely to see is one of fairly frequent interaction
Female pronoun for social justice? (Score:2, Insightful)
Sorry, wtf are you smoking exactly? The individual in this story is a man and the majority of crimes are committed by men so give the pathetic virtue signalling a rest.
Re:Female pronoun for social justice? (Score:4, Funny)
Excuse me, "her" could very well refer to a man whose preferred pronouns includes "her." Check yourself.
Re: (Score:2)
He can prefer what he likes, he can pretend he's a poodle for all I care. But if he has a dick and balls he is a HE.
Re: (Score:1)
Re: (Score:3)
But if he has a dick and balls he is a HE.
But HE identifies as a 15 year old Thai girl. It's a perfectly normal sane thing for a man to do. What's wrong with you?
Re:Female pronoun for social justice? (Score:4, Insightful)
Sorry, wtf are you smoking exactly? The individual in this story is a man and the majority of crimes are committed by men so give the pathetic virtue signalling a rest.
He's making the humorous point that nobody insists on calling a hypothetical techie "she" when it's a criminal.
Re: (Score:2)
Sorry, wtf are you smoking exactly? The individual in this story is a man and the majority of crimes are committed by men so give the pathetic virtue signalling a rest.
He's making the humorous point that nobody insists on using the superfluous "she" when the hypothetical techie is a criminal.
Re: (Score:2)
the majority of crimes are committed by men
Women are perfectly capable of producing crime and mayhem as men are, they're just not given the same opportunities as men to do so. Also women are under-represented in jails because sexist pig *men* reduce their jail terms unfairly so that just don't appear to be as criminal as men.
Women want to steal, rape and murder however it is a lot more difficult for them to do so because, as usual, men get in the way of them achieving anything in their criminal careers, for which they get far less loot than men
Re: (Score:2)
This proves again, that following a successful career as a criminal (or as a terrorist) is a lot harder than it appears.
While the law-enforcement can bumble across many tries to catch her (female pronoun for social justice), all the small mistakes add up in her disfavour. Also, as with everything, practice makes perfect.
So either she practices and gets it perfect sooner or later, making many mistakes on the way - or she tries one single big coup, which has a higher chance of failing because of lack of practice.
This is what really protects society from crime and gives the police a fair chance.
To clarify, being a stupid criminal is hard work, much like being a stupid human is.
And this doesn't "prove" jack shit. For all you know, this moron who got caught represents less than 1% of cybercriminals out there. The other 99% could be robbing the world blind and getting away with it, all because of the sheer amount of noise. Even "petty" crimes that law enforcement now ignores aren't so petty anymore due to lack of legal resources, so what makes you think we're going to know or even give a shit abou
Re: (Score:2)
I expect it is a lot of hard work, more work then doing an honest job. However for most people in crime, they are barriers to entry to legit work, that they seem to not be able to get past.
Such as not having the correct schooling.
As schools will often have a 0 tolerance policy which is applied only to the non-rich and non-sport stars. So a child who is constantly getting kicked out of class, due to bad attitude (which originally seems to stem from the student trying to get grasp of information being taught
Re: (Score:2)
So either she practices and gets it perfect sooner or later, making many mistakes on the way
Would you send me a link to the specific cat video you're referring to?
Re: I'm surprised guy in jail did ... (Score:2)
Jails are full of innocent people who were forced to "confess". Gulag FTW!
Classic law enforcement bias. (Score:5, Insightful)
"How come so many criminals make rookie mistakes?"
Because those are the ones you catch!
"Most criminals are caught."
No, you only mostly see criminals because you are on to them!
If you look at just the crimes reported, the vast majority are never solved.
And that is ignoring the majority that are not reported, because the victim already knows that nothing will come of it.
Most criminals are stupid (Score:4, Insightful)
Thats why they get caught. Yes some are smart but not many because most smart people manage to get successful proper jobs. A dumb psychopath might commit armed robbery or murder, a smart one becomes a CEO.
Re: (Score:2)
A dumb psychopath might commit armed robbery or murder, a smart one becomes a CEO.
And then he commits lawyer-armed robbery or murder?
Re: (Score:2)
"Fatal consequences arising from Mr. Smith's involvement with the concerned party" if you please.
Re: (Score:2)
Thats why they get caught. Yes some are smart but not many because most smart people manage to get successful proper jobs. A dumb psychopath might commit armed robbery or murder, a smart one becomes a CEO.
True, but that doesn't mean the CEO doesn't commit crimes. "This contract is better for the company because the partner is able to deliver but that contract seems better because it has a better price and they are giving me use of a ski-chalet (true story) so I'll go for that one". "They are better qualified but I'll go for her instead because she's my friends' daughter". "She is a better contractor but I don't want to deal with women". "This chemical will cause the world to overheat but the alternative
Re: (Score:2)
True, but that doesn't mean the CEO doesn't commit crimes. "This contract is better for the company because the partner is able to deliver but that contract seems better because it has a better price and they are giving me use of a ski-chalet (true story) so I'll go for that one". "They are better qualified but I'll go for her instead because she's my friends' daughter". "She is a better contractor but I don't want to deal with women". "This chemical will cause the world to overheat but the alternatives will cost us more, so I'll go for this chemical".
In each of these cases there's an actual crime but it can be seen only in the CEO's head. A simple denial with a made up explanation ("we didn't know", "HR said she had better inter-personal skills", "I thought we would need C++ skills soon", "the evidence was unclear and we the other scientists were more credible") and there isn't even a crime to report let alone prosecute.
Can you tell me the statutes involved? I can see the first one possibly being a bribe.
The others are not crimes, and the CEO isn't likely to be making those decisions anyhow.
But we had auditable guidelines, such as we were required to have a certain percentage of contracts awarded to businesses owned by humans that possessed female genitals. It's been a few years, so I do not know how they comply with gender as a social construct. I might be able to tell them I identify as female and join that group. And
Re: (Score:1)
What's smart about running the rat race? The way a third of your income goes to career criminals who will spend half of it bombing brown people for oil?
"A dumb psychopath might commit armed robbery or murder, a smart one becomes a CEO."
Yeah, because a CEO's crimes can kill more people than any murder, even a mass shooting.
Re: (Score:2)
Thats why they get caught.
That's why *he* got caught, don't mis-gender him by using "they", just apologize and move on.
Bullshit. Most criminals are *desperate*. (Score:2)
Why do you just keep repeating your TV-show-based beliefs?
That is another popular misconception.
If you are doing well, and your life is alright, then unless you got a mental illness, you don't think about doing crime. Why would you?
It is nearly always the people whose life is in the toilet.
And while that is often due to not getting the right upbringing or education, it does not follow that they are stupid per se.
Which correlates with most not being caught.
One of those mental illnesses is psychopathy/sociopa
Re: (Score:2)
"beyond my control "
No my friend - one or 2 of those things you mentioned might have been beyond your control but no one has that much bad luck happen to them unless they attract it in some way or they're complete idiots. Which one are you?
Re: (Score:2)
If you look at just the crimes reported, the vast majority are never solved.
And that is ignoring the majority that are not reported, because the victim already knows that nothing will come of it.
While I think you are correct to raise this argument, it is not quite so clear that there is a significant portion of the career criminals out there who are just so smart that they are never caught. If you ask a police officer or DA, they will tell you that of the ones that are caught, most of them surely were involved in many many crimes that they will go unpunished for, because the high evidence bar for a conviction makes the costs of going to old crimes the suspect probably was involved in too high. Ba
Isn't it ironic? (Score:2)
Personally, I find it hilarious that what fell him was the two cardinal sins why people become victim of cybercrime in the first place: Using your mail for too many things to make ID theft possible and reusing your password.
It never happens to me (Score:5, Funny)
It's always other people who get nice stuff sent to them for free in the mail. Me, I never get nothing...
I would have stopped him at password (Score:1)
not too bright (Score:2)
Especially this guy.
Curious, for a friend.... (Score:1)
I don't get this career option (Score:3)
If I want someone to babysit my kids I don't look for a former pedophile.
Re: (Score:2)
Are security companies staffed by former hackers successful?
If I want someone to babysit my kids I don't look for a former pedophile.
It's the same idea as using someone who went to prison for B and E to consult for home security, or the government employing former forgers to work on anti-counterfeiting task forces.
Re: (Score:2)
Sometimes. Usually if the former criminal was a genius who established techniques in common use. It helps if they were playing around because they loved testing systems or because they liked the challenge of the cat and mouse game. Especially if they were fairly young when caught. I'm thinking Kevin Mitnick or Frank Abagnale (the real guy from "Catch Me If You Can".) But even then, it's usually designing countermeasures/giving speeches/consulting, not the grunt work. And both those examples worked wi
Re: (Score:3)
Glad I'm not a security researcher (Score:2)
Re: Glad I'm not a security researcher (Score:2)
Nothing says "free society, high information environment" like tossing everyone who says something inconvenient into the gulag.
Yet another good reason (Score:2)
Lessons Learned? (Score:2)
Use a password manager and make sure you have multi-factor authentication enabled on your accounts.