How a Chinese Hacker Tried To Blackmail Me 146
An anonymous reader writes "Slate provides the first-person account of a CEO who received an e-mail with several business documents attached threatening to distribute them to competitors and business partners unless the CEO paid $150,000. 'Experts I consulted told me that the hacking probably came from government monitors who wanted extra cash,' writes the CEO, who successfully ended the extortion with an e-mail from the law firm from the bank of his financial partner, refusing payment and adding that the authorities had been notified. According to the article, IT providers routinely receive phone calls from their service providers if they detect any downtime on the monitors of network traffic installed by the Chinese government, similar to the alerts provided to telecom providers about VoIP fraud on their IP-PBX switches. 'Hundreds of millions of Chinese operate on the Internet without any real sense of privacy, fully aware that a massive eavesdropping apparatus tracks their every communication and move...' writes the CEO. 'With China's world and ours intersecting online, I expect we'll eventually wonder how we could have been so naive to have assumed that privacy was normal- or that breaches of it were news.'"
Words mean things (Score:5, Insightful)
That's a criminal, not a hacker.
Re:Words mean things (Score:5, Insightful)
Re: (Score:2)
Perhaps words don't always mean things. Given how much of social life is dominated by lies and falsehood.
Re:Words mean things (Score:5, Insightful)
He's completely right. As a gov monitor the guy did not have to hack into anything. Everything was already there. Technically, he did not even have to use equipment in a different way as he was expected to - and blackmail hardly qualifies as "social engineering".
No hack found here. Just a cheap and nasty case of corruption - but what else would you expect from a professional denouncer?
Re:Words mean things, or not .... (Score:1)
Re: (Score:1)
Re: (Score:3)
Do you mean that it's OK for the Chinese to do it, or do you mean that it's not OK for Americans to do it?
Re: (Score:1)
Re: (Score:1)
The popular use of the word hacker implies he broke into a system to retrieve his information, preferably with some sort of coding or technical gymnastics involved. This Guy just used software that was available to him as part of his job.
Therefore :he's not a hacker even in the popular sense of the word.
Re:Words mean things, or not .... (Score:1)
Re: (Score:1, Informative)
The hacker vs. cracker war was lost a decade ago. Let it go. It is too ingrained now. The best you can do now is talk about the color of their hats.
Re:Words mean things (Score:4, Insightful)
I don't think he was referring to hacker vs cracker in the sense that "hackers are good, crackers are bad". He was saying "No hacking, good or bad, occurred here. Just good, old-fashioned criminal activity that just happens to involve a computer." This is mostly obvious by the fact he never mentioned the term "cracker".
Re: (Score:1)
Exactly. Blackmail is a crime not a hack.
It's blackmail by a government censor&spy agen (Score:2)
In China it is very heavy handed and abusive. In others, very subtle and well disguised. But. Every country has numerous entities monitoring what everyone does online. And there's usually nobody monitoring the monitors.
Re:It's blackmail by a government censor&spy a (Score:5, Interesting)
Try getting a job at the NSA. You'll be security-screened up the wozoo, and then face 10 years in the slammer if you leak. Ask Manning.
There's also a lot of security - no USB drives, no internet (they'll have 2 computers, one of which can only access a LAN where the confidential information is kept), audits, lots of rules, etc. Manning used a CD burner. I'm betting that's going to be a bit harder to do now.
Re: (Score:3)
I suspect the buzzing on your phone isn't coming from your phone. It's coming from the implant in your head. Have you checked for signs of alien abduction? I suspect that you may fit nicely in another demographic.
Re: Words mean things (Score:1)
Re: (Score:3)
Re: (Score:2)
Re: Words mean things (Score:2, Funny)
Wait a minute, I thought crackers were white people, not black...
Re: (Score:2)
Give it up. the word "Hacker" has been long lost. (Score:1)
Hacker == criminal computer break-in artist.
We lost the war. Give it up.
We lost the term. It no longer means someone who cleverly just can make a computer system do something it wasn't designed to do.
The term "hacker" has been successfully stolen by the media. It's gone forever. Finished.
Accept it and move on.
Re: (Score:2)
If the attacker gained access to the system by non-trivial means, derived from his/her own efforts, then he/she is a hacker.
If the attacked gained access to the system by non-trivial means implemented by a government, and by lucky (or by incompetence of someone else) he/she happened to operate that non-trivial means, then he/she is just another opportunistic fellon.
Re: (Score:1)
God damned dictionaries. "Fix" what is not broken, and doesn't correct me where I really need.
Where I wrote "If the attacked", please read "If the attacker". =/
Re: (Score:2)
*waits to hear explanation for "fellon"...* :D
Re: (Score:1)
Re: (Score:1)
Re:Words mean things (Score:4, Insightful)
And if you mention The Gay Science, how many people do you know that think of Nietzsche? Terms change with the times. Not always for the better, but they do.
Re: (Score:1)
Is slashdot a National Enquirer wannabe?
"a CEO" story from some obscure website twice over is the source of slashdot scoops?
I'm "a nobody" who banged Jodi Foster and Ellen Degeneres in a menage a trois. Scoop this slashdot?
Hundreds of millions of Chinese(American too?) operate on the Internet without any real sense of privacy, fully aware that a massive eavesdropping apparatus tracks their every communication and move
Kettle calling the pot black much?
Re: (Score:3)
Who hasn't? I even submitted pictures. All I got was just got an email asking me for more.
Re: (Score:1)
Titles (Score:2)
I think the person that started this should be called what they were, a government censor and the Chinese government should realize corruption is an inevitable result of censorship.
Re: (Score:2, Insightful)
a government censor and the Chinese government should realize corruption is an inevitable result of censorship.
The inevitable result of government itself is corruption.
Arguing over minor facets is pretty pointless in the long run.
Re: (Score:3)
What are we; but slaves to finances?
Re: (Score:1)
The issue is the stupid shareholders and investors. The CEO will loose his or her job if they want to hire Americans who wont steal instead.
Have you ever watched Shark Tank? Mark Cuban is on that show and basically unless you are willing to move to China they wont even talk to you! One lady went on and said she did just that and her supply copied her design and went around her and sold it at the major retailers for less cost and practically put her under. The investors with the exception of Cuban still didn
Indeed, you follow the money, you find the crime. (Score:4, Insightful)
Go to a financial power center, find the center of crime. Well dressed, groomed, prepared, by an army specialists in PR, marketing, design, security, privacy, and secrecy. But it is laying around there, somewhere. Most surely, the evidence and main coverup is in the security, legal, and accounting divisions. Enron was never alone.
Re: (Score:2)
Go to a financial power center, find the center of crime. Well dressed, groomed, prepared, by an army specialists in PR, marketing, design, security, privacy, and secrecy. But it is laying around there, somewhere. Most surely, the evidence and main coverup is in the security, legal, and accounting divisions. Enron was never alone.
Bad thing that the criminals are those who are seen as successful. Somehow, values clarification did not work in the past century (so the starting point, strangely, coincides with the establishment of the Federal Reserve System - no, i will not mention the air of the "Elders of Zion" - forgery or not - except in a side note).
CC.
Re: (Score:2)
What are we; but slaves to finances?
I think you're holding, I mean, taking it wrong.
We aren't slaves to finances. We're slaves to another people, that happened to control this weird thing called finances.
Do not confuse the tool with the hand that wields it!
Re: (Score:2)
I think that corruption also requires laws and regulations that can be bent, or at the very least contracts.
Material desire in itself doesn't seem enough.
Re: (Score:3)
The inevitable result of government itself is corruption.
The inevitable result of humans living socially is corruption. Therefore, people should cease to be social animals because somewhere along the line someone will screw someone else over.
The inevitable result of money is corruption. Therefore, we should abolish all monetary systems and the systems of distribution that depend on them.
The inevitable result of monogamy is corruption. Therefore, we should embrace Brave New World sexual practices and everyone should sleep with everyone so no one will be jealous.
Do
Re: (Score:1)
The inevitable result of monogamy is corruption. Therefore, we should embrace Brave New World sexual practices and everyone should sleep with everyone so no one will be jealous.
This is what I keep telling my fiancée, but she still seems sceptical.
BTW, you should mark that up as <cite>Brave New World</cite>. Most UAs display it as italic, but semantically speaking, using <i> (yecch) or <em> is not the same at all.
Re: (Score:2)
a government censor and the Chinese government should realize corruption is an inevitable result of censorship.
The inevitable result of government itself is corruption.
Arguing over minor facets is pretty pointless in the long run.
Only because without government, there are no rules against which corruption can be judged.
TLAs (Score:2)
CC.
Re: (Score:3)
Meh, it wouldn't have been that big of a deal. Thirty years ago they were making similar jokes about Japan. [youtube.com]
Re: (Score:2)
ARGH! Edit... bloody ipad missed my typing...
"American companies are deliberately having Chinese companies manufacturing high tech devices"
just like home! (Score:2, Insightful)
Hundreds of millions of Chinese operate on the Internet without any real sense of privacy, fully aware that a massive eavesdropping apparatus tracks their every communication and move..
... just like Google! And Facebook! And half the Android apps!
Why not use encryption? (Score:5, Insightful)
I don't understand the summary, but riddle me this: Is there any good reason not to use end-to-end encryption?
We've had PGP since 1991 and SSL and SSH since 1995. Some of these were developed in response to plaintext sniffing attacks. That means that the fact that communication in the clear is a security risk and the fact that there are people listening to your communications in order to obtain sensitive information haven't been news, and easy ways to protect your communications against this have been available, for over 15 years.
Re:Why not use encryption? (Score:5, Interesting)
...We've had PGP since 1991 and SSL and SSH since 1995 ... easy ways to protect your communications against this have been available, for over 15 years.
I don't think that your definition of "easy" is the same as mine. I've worked with all kinds of operating systems, hardware, software, and so on. I've read TLDP while deciding how I wanted to configure the multitudes of flags for a new kernel on my Slackware box (Pentium MMX FTW!). I'm not afraid of trying new stuff or reading documentation to get it done. I've used PGP(GPG) and I'd say it's far from easy. I understand PKI principles on a superficial level, but to use PGP hasn't ever been intuitive to me.
It's probably safe to say that a great number of people reading this post have had to field telephoned questions from relatives who didn't know how to download and install a Windows application. And you're telling me that PGP is easy? In the few cases I've used it, I've also had to give my colleagues or business partners tutorials on how to read or compose emails with it, because I'm the techie-guy, not them. And because of the high bar, there were very few people in personal or professional circles who could receive such a message.
HTTPS is relatively easy to implement for administrators and it's transparent to most users, requiring little additional knowledge. I really do welcome the day when a PGP-like product is that easy to use.
Re: (Score:1)
Way to miss the previous posters point.
The point is "I may know how to set this up, but nobody else I could reasonably use it with does."
The start of a secure communications channel starts with NOT handing something over in plain sight. As soon as that chain of custody is exposed, the entire chain is compromised. Sending encryption keys to China is a mistake waiting to happen.
Re: (Score:1)
Anyone who is even marginally computer literate can set up pgp. My father can do it. There just isn't much to it. "Not knowing how" is meaningless when it's a quick google away. It's like saying, "I don't know when the treaty of Versailles was signed". I don't as of this moment, but as of this moment after 5 seconds of googling, I know it was 28 Jun 1911. We live in a world where information is at your fingertips.
Re: (Score:3, Funny)
Re: (Score:1)
The point would be that users who don't know how the FFT works shouldn't be able to use Instagram (oh, boy, if I wish so...).
The reality is that people use tons of complex algorithms every day without knowing it not because they are easy, but because they've been made easy for them and/or implemented in a transparent manner. Pretty much none of Gmail users even know what HTTPS stands for, but everybody started using it when
Who are YOU talking about? (Score:2)
It's probably safe to say that a great number of people reading this post have had to field telephoned questions from relatives who didn't know how to download and install a Windows application.
We're not talking about your grandma or dad or uncle Joe...
We're talking about a fairly substantial company doing business in China.
Common sense and perhaps (if they had it) internal security *should* have suggested encryption for critical business communications with the Mother Ship.
Re: (Score:2)
Re: (Score:2, Insightful)
The reason it's not ubiquitous is US federal laws on the encryption of export. That's what's blocked its proper use with PGP, and with proper 3DES 25 years ago for UNIX passwords, and what prevents the use of reasonably robust encryption built into network cards themselves. The restrictions on export have also been used as a bludgeon to threaten companies that provide *domestic* end-to-end encryption in their products.
There have been attempts to get federal approval for such technologies, but *all* such ap
Re: (Score:2)
Encryption/decryption is easy, it's the key management and "web of trust" that isn't. The thing is, they made this way, way too complicated, theoretically correct and person-oriented. Who knows best if I'm the owner of account foo@domain.com? The domain, because I authenticate against them to collect my mail. I should be able to generate a PGP key and tell domain.com this is my public key. *Optionally* they should also be able to store my private key and let me rely on the safety of my password. On the send
Re: (Score:3, Informative)
Yes,
If part of your business is in china, and the government demands the ability to intercept its communications.
Like the summary said, this was likely an official monitor looking to make some quick cash on the side. These are the people who legally have access to your most sensitive corporate secrets because the government says so.
Re:Why not use encryption? (Score:4, Insightful)
I don't understand the summary, but riddle me this: Is there any good reason not to use end-to-end encryption?
Encryption? Do you have something to hide there, comrade?
That's the reason why.
Re: (Score:1)
Please do give some sources for your claims. I suspect you are confusing cracking/hacking/breaking/bruteforcing encryption and finding leaks in key management.
block china (Score:5, Interesting)
Re:block china (Score:5, Informative)
knew how to "block all of the Chinese IP ranges"
Okean.com has the goods [okean.com].
Re: (Score:2)
Want to block Chinese and Korean language emails even if they aren't relayed through mail servers in those countries?
This guy lives in SAN FRANCISCO of all places and says this?
what about the innocents? (Score:5, Insightful)
China is full of people who want to reach out to the other countries and talk with us... how can it be good to break them off?
Re: (Score:1)
Re: (Score:2)
They can't kill VPN, unless they only allow https on whitelisted sites, or MITM all non-whitelisted SSL.
Re: (Score:1)
Re: (Score:2)
It's also racist, but we all get a free pass when talking about Chinese hackers for some reason.
Re: (Score:2)
Just sayin'...I'm sympathetic because I have the exact same problems.
Re: (Score:2)
china teaching the wild west (Score:1)
does he think the US doesnt monitor stuff too? (Score:3)
ever heard of Fusion Centers, the TSA, the NSA , etc etc etc?
granted we dont have widespread extortion and bribery - often because those programs are supposed to be secret.
Re: (Score:2)
WTF?? (Score:5, Funny)
This alleged extortion plot happened in 2007
Re:WTF?? (Score:5, Funny)
Yeah, but someone at Slashdot messed up and clicked the approve button too soon. The story was scheduled to run in 2017.
Go into China and not expect this? (Score:1)
Monitoring devices (Score:3, Informative)
I heard a lot of speculation and fears from colleagues who came over. I had our HR manager tell me how she knew her blackberry was getting monitored because she could hear it getting tapped. Seriously, your mobile doesn't get routed through an analogue exchange with a tape recorder attached. There's a lot of misunderstanding and mistruths that get spread around. That's not to say censorship doesn't happen. A number of people I know had blog posts removed because of sensitive keywords - that actually seemed to be regarded as pretty normal, and they weren't worried about being dragged away for a 'cup of tea' with the authorities. The reality is generally a lot more normal that you'd imagine though.
In terms of what happened to the CEO's mail account, I think it's much more likely that their machine was compromised with malware. Malware is rife in China, mostly as there's still a huge amount of software piracy. I've seen plenty of download sites in China with files riddled with trojans. Given that their personal email was also broken into, it does sound like their machine was compromised rather than line monitoring. The device attached to the server? I don't buy it...
Re: (Score:1)
Actually, they do have monitoring devices for internet traffic.
Typically a huaiwei router doing sniffing for keyword traffic that then gets passed to local PSB level monitors.
I can take a photo for you of one in a day or so if you want. I get to maintain stuff that connects to them, basically you ensure that everything is encrypted and goes through a vpn so they don't get to do much sniffing..
Re: (Score:1)
Global crimes merit a global response (Score:2)
Crimes that occur on the World Wide Web are by definition international crimes. They cannot, then, be properly investigated or prosecuted by any national entity. A new global authority is needed for that.
Seeing how our previous attempts (NATO) of international collaboration have worked out I'm not exactly sanguine that this will occur in my lifetime, but it will have to be addressed eventually. Alternatively, we could just drop some bombs on China. I don't really care.
OMG! (Score:1)
Re: (Score:2)
A 'CEO' "payed' "$150,000" to ... shut up the complaint ?
No he didn't. He refused to pay the extortion.
Re: (Score:1)
oh crap they're monitoring us. everybody play it cool or they'll shut off our supply of iphones and ipads.
Re: (Score:1)
oh crap they're monitoring us. everybody play it cool or they'll shut off our supply of iphones and ipads.
Please do!, Shut off the supply. I'm tired of the hipster garbage icrap. In the past year I have been in two car accidents, One cause by a hipster texting on his iphone and the second they were using a ipad as a map.
Re: (Score:3)
Uh... the part where someone tried to extort six figures for stolen business information?
In what universe is that not a story?
Re: (Score:3)
What else did he know? What else was there to know? Who was doing this? Why? What did other people already know? Was there anything about me they didn’t know, or couldn’t misconstrue to their advantage?
Have you ever heard of encryption?
It should be standard on every e-mail app, just like it's standard on every router. I would love to encrypt all of my e-mail, but my friends are either too lazy, or too technically illiterate, to install and use it. If it was part of setting up your e-mail, well, the world would be a better place. Tell ya what, though: If I were doing business in a place China, (or Russia, or Cuba, etc.), I would insist upon it. But, who knows what servers your e-mail gets bounced around on as it is?
Totally agree. Yonks ago it was said that an email is about as private as a postcard. Sending private or business-sensitive information over the email is just foolish.
And don't start the 'yes but encryption can be hacked' chain. Replace "Uncle Bill" with [company name] and "Plums" with [financial amount] and the sentence "Uncle Bill wants the plums by Friday for the pie he's making" is meaningless to anyone without the key. Cryptography's been around since before Caesar.