Password Hackers Do Big Business With Ex-Lovers 197
Hugh Pickens writes "The Washington Post reports that disgruntled lovers and spouses considering divorce are flocking to services like YourHackerz.com that boast they have little trouble hacking into Web-based e-mail systems like AOL, Yahoo, Gmail, Facebook and Hotmail. The services advertise openly, and there doesn't appear to be much anyone can do about it because while federal law prohibits hacking into e-mail, without further illegal activity, it's only a misdemeanor, says Orin Kerr, a law professor at George Washington University. 'The feds usually don't have the resources to investigate and prosecute misdemeanors,' says Kerr. 'And part of the reason is that normally it's hard to know when an account has been compromised, because e-mail snooping doesn't leave a trace.' It's not clear where YourHackerz.com is located, but experts suspect that most password hacking businesses are based overseas."
Moo, moo. (Score:5, Interesting)
Yeah, well I'd say it's a big reason why I get phone calls. I hung my shingle out a long time ago about being a computer geek. People usually come to me for one of three reasons: First, their computer's suddenly running slow. "But I've tried everything." Malware is the main reason. Second is "It won't turn on anymore." Coffee spill on laptop, or HDD failure without error message. And the third most common reason: "I want to ruin someone's life! You're a hacker, right?"
Of course, these are my friends, not strangers. I usually oblige them by asking if they knew what common passwords their ex used, any websites they frequented, the full spelling of their name, date of birth, and social security number. And the strange part is: They usually know all of these things. You know what I do then? Nothing. Not a damn thing. I sit down and have a long talk with them about personal security and how just like we don't go out alone at night (I'm a girl. Most of my friends are girls -- I know most of you are dudes and don't think about it much), we also need to take precautions online! This is usually said while saying what a bastard the guy was. And I give them a pat on the head, some candy I keep around for this purpose, and send them on their way.
I'm a white hat (eh, most of the time). But a lot of people just like me know this about others because they've hung their shingle out too and announced they're a geek. And not all of them are going to have an ethical hangup about sucking up all your personal data, hacking your accounts, and leaving "I have a small penis" written to all your friends. Because really... The average person if you do go through all the effort to get them access just sits there feeling all powerful for a minute and then does something incredibly juvenile that'll make you wish you'd done your laundry instead of wasted two hours at the keyboard.
My advice to you people: Love your partner. But do not give them the root password!
P.S. Only once ever have I done a spot of sleuthing that I felt was worth it -- when I discovered a friend-of-a-friend was dating a terrorist. No, I don't mean the fluffy-bunny kind that the media portrays either (everything is terrorism these days). No, I mean the guy came overseas, setup shop over here, and was doing serious criminal enterprise and had cases open with a half-dozen agencies. A few days later, a police officer informed her that if she valued her life, she should cease contact with him immediately. Fun times. Everything else though? Boring as shit.
Double Standards... (Score:5, Interesting)
Re:Moo, moo. (Score:4, Interesting)
But maybe these different patterns relate to the fact that I am male?
More likely it's that girls have a lot more aqaintances and casual contacts than men do... And that we gossip so that people who know of us extends beyond a few close friends and coworkers but into the friend-of-a-cousin-of-a-friend's boyfriend scope. That, and most guys just want to be done with the drama and suffer in silence when it ends. Girls don't usually skip the part of the process that entails great amounts of fire and brimstone. Of course, in the end it's all a tempest in a teapot, but that doesn't stop them from beating a path to my door and getting Lecture #46.
How do they work? (Score:5, Interesting)
If you're curious how these things work, here's a write-up of a typical example of one of these services [mcgrewsecurity.com].
Re:compromised (Score:1, Interesting)
It'd be like me telling you that the R0 of variola vera is about 6.5. Meaningless to you in this context.
But people might just remember at what time the logged in. Time is quite a common concept in modern society. That said, your estimate on smallpox contagiousness is rather optimistic (depending on your viewpoint: http://www.ncbi.nlm.nih.gov/pubmed/11742399
Re:RTFS (Score:3, Interesting)
What I'd like to see would be more ability to use a standardized keyfob (such as RSA's SecurID), a smart card that has one's client certificate, or perhaps both in one device like the Aladdin eToken NG-OTP. Combine this with some type of decentralized but usable authentication system like OpenID, and this would go a long way to making bad or guessed passwords a thing of the past.
Smart cards go a long way to ease authentication hassles, but they bring their own issues, such as card lockouts due to too many failed PIN attempts, lost/stolen/accidently microwaved cards, user training, to malware which captures the PIN on a compromised computer then if the card is still inserted, uses it for its own bad stuff.
Re:RTFS (Score:3, Interesting)
I am not allowed to save them. I must memorize them.
Nonsense. While Chrome doesn't seem to have this yet, Firefox and Konqueror come with encrypted password stores out of the box.
That is, you enter one master password, and it then remembers all your passwords for you.
I also have a friend who wrote a Firefox extension, which I'm seriously considering replicating (or finding, if he ever published it), which would take one master password that he'd remember, combine it with the domain, and computer a hash. Thus, nothing is ever stored, but there's still only one password to remember.
This scheme prevents a breach at one website from compromising others, so long as your master password and/or local password store is safe. And it's a lot easier to try to keep that safe than to try to create and memorize tons of random passwords.
Finally, there is the option to use client-side certificates and/or OpenID, with services that support them. This would allow you to choose whatever means of authentication you like, passwords or otherwise.
The point is, you're not allowed to save them somewhere obvious in plain text, or especially, taped to your monitor.
It is a known fact that people are stupid. If you make something that proves that fact, then the problem is not the moron users, but the designers.
But trying to idiot-proof it is the wrong approach, or at least, should not be a priority. As the saying goes, they'll always build a better idiot.
No, the right approach is to increase the ease with which someone could use the system properly, and how far "properly" extends. After you've done that -- in this case, after OpenID is ubiquitous -- then you can worry about how to dumb it down to where an idiot can use it.
But if you design the system for an idiot in the first place, you're both creating more idiots, and in this case (using passwords and "pet's name" security questions), making the system less secure and/or less convenient for experienced users.
Re:RTFS (Score:4, Interesting)
Several UK banks use the EMV card (branded as "Chip+PIN" here (wiki it), a debit/credit card with a chip) for authentication with online banking. The readers don't connect to a computer, and getting the PIN wrong three times in the portable reader only means you need to reset the card by using it in an ATM.
The trouble is, it's been done cheaply, and has some *big* problems. Ignoring problems with encryption, the biggest one is a social problem: I have a small card reader. I can put one of my debit/credit cards in, press "Identify", type in my PIN, and get the message "PIN OK" and a code. Fine, I can put the code in the online banking website to authenticate.
The problem is, if I get the PIN wrong, the message says "PIN incorrect", and no code is produced. Argh! Introducing the chips has drastically cut face-to-face (shop, ATM) fraud in the UK, and means criminals now want a PIN to go with a card. They sometimes install a tiny camera in an ATM and steal the card when you walk away, but ATMs are in "safe" places, and have CCTV around them etc -- or at least, people don't use them if they don't feel safe.
So instead, they steal your card somewhere more private:
*thump* *thump* "Tell me the PIN!"
"5-2-9-1! Let me go!"
*"Identify"* *tap-tap-tap-tap* *schking* "Tell me the real PIN, or else!"
Re:Moo, moo. (Score:3, Interesting)
(hey, don't look at me, I'd love to see female engineers and scientists just as much as you do).
Then stop treating them as sex objects when they show up for work!
That is actually a lot harder than people realize. We The People are animals first and foremost, and then everything else. Whenever most people see a person of the opposite gender, the first thing they see is that they are of the opposite gender. This is biology, at which most people have more experience than at their culture, education and work ethics.
The better and broader your education and culture, the faster they kick in to cushion the action of pure animal instinct, but do not be fooled, its there and most men will first see the woman and then the co-worker. Some times it comes naturally and some times it takes actual conscious effort to completely remove the message "I'm talking to a woman" from the "I'm talking to a co-worker" equation. That is in no way a justification for being a pig, but hopefully its an insight on the mechanics. Of course this is /. so others will disagree =)