Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Security Businesses United States

Feds Thwart Extortion Plot Against Best Buy 942

hiero writes "From an article in the Star Tribune: 'Federal authorities said Tuesday they thwarted an extortion plot against Best Buy Co. Inc. by a man who sent the company an e-mail threatening to expose what he claimed were weaknesses in the retailer's computer system unless he was paid $2.5 million.' What's really interesting to me, though, is this paragraph further on in the article: 'The federal search warrant was obtained the morning of Oct. 24 and allowed the FBI, with Best Buy's cooperation, to use an Internet device known as an Internet Protocol Address Verifier. It contained a program that automatically sent back a response to Best Buy after the company sent a message to the e-mail address. The response allowed investigators to identify Ray as the sender of the e-mail threats, according to the government.' Internet Protocol Address Verifier? Is this Carnivore in action?"
This discussion has been archived. No new comments can be posted.

Feds Thwart Extortion Plot Against Best Buy

Comments Filter:
  • I think... (Score:5, Funny)

    by Anonymous Coward on Wednesday January 07, 2004 @06:37AM (#7901730)
    I think it's called a return receipt :-D Probably was using Outlook which automagicly sends one when requested.

    Blogzine [blogzine.net]
    • by isorox ( 205688 ) on Wednesday January 07, 2004 @07:19AM (#7901885) Homepage Journal
      I do wonder about the sanity of our boss, who sends an all-employee email out (5 in the last two months) with a read receipt request. IIRC there's somewhere in the region of 20,000 employees.
  • No Wonder (Score:5, Funny)

    by PoitNarf ( 160194 ) on Wednesday January 07, 2004 @06:37AM (#7901731)
    That's what happens when you try to extort a big company using Outlook.
  • by morzel ( 62033 ) on Wednesday January 07, 2004 @06:37AM (#7901732)
    "Internet Protocol Address Verifier? Is this Carnivore in action?"
    Methinks that would be marketing speak for an HTML mail with a web bug (1x1 transparent pixel image loaded from remote server). If the 'villain' is using a mail program that displays HTML, his IP address is logged.

    • by orthogonal ( 588627 ) on Wednesday January 07, 2004 @07:01AM (#7901829) Journal
      Methinks that would be marketing speak for an HTML mail with a web bug

      That's my guess too. If so, had the extortionist had his mail client set up like mine, he wouldn't have had his IP "verified".

      My client, actually, is the (rightfully) much maligned Microsoft Outlook, but I don't have a problem with web bugs, because my firewall only allows Outlook to connect to one address -- my domain's mail server -- and only to two ports at that address, ports 110 and 25.

      This means no web bugs or any referenced (as opposed to inlined) images are ever displayed. In the few cases where I actually want to see referenced images, this is a minor inconvenience, but it's more than offset by knowing that no spammer -- or corporation -- ever gets verification of my email address.

      For most mail, of course, it's not an issue. Important email rarely if ever contains referenced images; indeed I discourage anyone from sending me HTML-encoded email at all.

      And if I want to view a url included in an email, I just click on it, and Firebird (which is allowed to connect to any address, so long as it's to port 80) displays the url. If I really want to see an email in its full glory (and I never do), I can always save it and then open it in Firebird.
    • by azaris ( 699901 ) on Wednesday January 07, 2004 @07:59AM (#7902039) Journal

      Methinks that would be marketing speak for an HTML mail with a web bug (1x1 transparent pixel image loaded from remote server). If the 'villain' is using a mail program that displays HTML, his IP address is logged.

      The villain didn't of course use any mail program but some generic webmail address (most likely outside the US). The lesson? Use Lynx to read your webmail when extorting Best Buy.

  • Hmmmm... (Score:4, Insightful)

    by graveyardduckx ( 735761 ) on Wednesday January 07, 2004 @06:39AM (#7901734)
    and this is where he's going to say his computer was hi-jacked, right? Even Carnibore has its limitations.
  • by Anonymous Coward on Wednesday January 07, 2004 @06:41AM (#7901743)
    sounds so much better than "ping"
  • by metlin ( 258108 ) on Wednesday January 07, 2004 @06:41AM (#7901745) Journal
    One one hand, if a genuine white hat hacker finds an exploit in a network and told the owners about it, s/he finds himself ostracized for the actions, and is threatened with legalities.

    And on the other hand, what this guy tried to do was establish a "business relationship" -- notice that he did try to contact them first with the offer to help them:

    The e-mail also offered to establish an unspecified business relationship between the sender and Best Buy, adding: "Without your response, we are obligated to share the security hole with the public for their protection. As a result, Best Buy may experience a loss in business, thefts and lawsuits."

    Ofcourse, once he noticed he wasn't getting anywhere, he decided to resort to good ole' blackmail.

    Honestly, this was bound to happen some day or the other. When legitimate security people point out bugs and holes, they get treated like scum and are threatened with law suits. So whats the best thing to to? Threaten the companies with money. Even if 0.1% of the companies gave in, it still is a way of making money.

    Good, atleast this way companies will be more careful about protecting data.
    • by tuxette ( 731067 ) * <tuxette&gmail,com> on Wednesday January 07, 2004 @06:48AM (#7901773) Homepage Journal
      Honestly, this was bound to happen some day or the other.

      I think it's happening more often than what we read about in the mainstream press. Most businesses want to keep things hush-hush as to not generate bad publicity.

      Good, atleast this way companies will be more careful about protecting data.

      I doubt it, although I tend to be a pessimist when it comes to these matters. As long as they can hide behind lawsuits, it will be business as usual.

      My final note of pessimism: things are going to get much worse before they get better. Brace yourselves!

    • by UnknowingFool ( 672806 ) on Wednesday January 07, 2004 @07:00AM (#7901823)
      When legitimate security people point out bugs and holes, they get treated like scum and are threatened with law suits. So whats the best thing to to? Threaten the companies with money. Even if 0.1% of the companies gave in, it still is a way of making money

      Although the article is not very detailed in this aspect, his actions do not speak of someone trying to help BestBuy. Some of the info is not released due to security concerns and pending litigation but this seems more like a black mail scheme more than anything else. If he was serious about helping BestBuy, asking for money ($2.5 million) sent the wrong message because the mafia also used terms like "business relationship" and "offer they can't refuse" when shaking down people as well. Until we know more, all we know is that he said enough in his emails that BestBuy and government thought he was threatening.

    • by mumblestheclown ( 569987 ) on Wednesday January 07, 2004 @07:06AM (#7901845)
      When legitimate security people point out bugs and holes, they get treated like scum and are threatened with law suits. So whats the best thing to to?

      Do nothing and MYOB. If companies lose substantial amounts of money because of lax security, then they will do one of two things:

      • improve their security / invest more in security
      • go out of business and/or be less competitive.
      in either case, the consumer wins (as in case 2, more competitive companies will spring up to take their place).

      If, as it turns out, that external security consultants are the way to go, then such companies will engage in a business relationship with one of dozens if not hundreds of world class security firms.

      What we don't need is whiny "independent security researchers" doing what amounts to unprofessonal blackmail attempts ("let's establish a 'business relationship' or I spill the beans.) Computer tresspass is computer tresspass. We don't need to revise trespass laws to improve security - we need companies to go to legitimate security firms and use their tiger team services and so on.

      • by the_mad_poster ( 640772 ) <shattoc@adelphia.com> on Wednesday January 07, 2004 @09:15AM (#7902375) Homepage Journal

        Computer trespass is computer trespass.

        I'm so sick of this crap, I don't even know where to begin.

        Best Buy is NOT the entire Internet. Best Buy's security problems could potentially be used to inconvenience or incapacitate innocent sites nearby or, even, innocent sites with no connection to Best Buy whatsoever. Best Buy has a responsibility to fix their security problems when they're made known. If Best Buy's lumbering managerial morons see fit to ignore contacts and help offers, there is nothing wrong with exposing Best Buy's problems to force their hand (blackmailing them is a totally different story).

        This ridiculous attitude with these clueless businesses is tantamount to politely telling someone their fly is unzipped and getting your nose punched in gratitude (as the person continues to wander around with the fly unzipped, punching people who are trying to help them). If you find a security problem, you let them know about it. If they ignore you, you let everyone else know about it to force their hand. It's not like if someone who's looking to cause trouble right off the bat is going to give a warning shot over the bough and let them prepare. Hmmm... say I'm poking around a form on a popular retailer's website and accidentally type in a "funny character" and submit it. What's this? SQL error? Oh? I guess I should just keep my mouth shut, right? I shouldn't bother to try and report this glaring vulnerability? After all, I have no obligation to their customers, and, since I have no moral compass at all, I shouldn't even think of those poor, trusting fools, right? Give me a break...

        ...we need companies to go to legitimate security firms and use their tiger team services and so on.

        You're a real riot. Are you on one of these "tiger teams", perchance? Mad because all your training doesn't amount to a hill of beans more than someone with a lot of book reading and practice and they're stealing your business by giving out free advice? Or do you just not know what you're talking about? I assume that you believe these "tiger teams" are infallible and could never make a mistake? I guess that once someone goes to a security firm, there's no possible way someone could miss something or something could change after the audit and review? I guess the "tiger team" couldn't possibly have someone on it that has, for some reason, not been acutely focused on the task at hand due to illness, fatigue, personal issues, etc.? I guess this "tiger team" has experienced every possible security problem there will ever be and has taken steps to eliminate all of them forever and there's no possible way a hole will ever be found that they didn't already psychically perceive and patch?

        in either case, the consumer wins

        I guess the consumer wins when their credit card number, name, and address get stolen too, right? I know that last time MY credit card number got stolen thanks to an utterly stupid retailer, I was REAL pleased about it. In fact, give me your address, I'll mail you all my credit cards and photo id because it's so great when people get them that shouldn't have them.

        Here's your passport, sir. Welcome to the real world. Please do try to fit in in some capacity. A good step would be to stop suggesting that knocking the lock off someone's door and walking into an unprotected computer system are the same thing. People who actively break secured systems without invitation are one thing, people reporting obvious flaws or a total lack of security in general are another. Stop lumping them altogther as "computer trespass".

  • by eaglebtc ( 303754 ) * on Wednesday January 07, 2004 @06:42AM (#7901749)
    Hmm, sounds like a fancy name for a computer expert. All you have to do is read the SMTP headers in most email and it will reveal the sender's IP. Just trace it back down the line of servers through which the email was routed, and you get back to the original IP address.

    If the sender is spoofing headers, however, this becomes more difficult. Why not just subpoena the ISP for their email data? Doesn't the server keep a log of what IP addresses sent which pieces of email?

    For example:

    Received: from [65.119.30.157] (helo=SMTP.magnellmail.net)
    by snoopy-bak.runbox.com with smtp (Exim 4.24)
    id 1Ae9TJ-0006F6-B0
    for xxxxxxxx@runbox.com; Wed, 07 Jan 2004 09:55:25 +0100
    Received: from mail pickup service by E1SSL2 with Microsoft SMTPSVC;
    Wed, 7 Jan 2004 00:56:48 -0800

    The above shows that someone at 65.119.30.157 sent this email. It went through their mail server (magnellmail.net) to runbox, my provider. From there, Runbox directed it to my Inbox when I opened Outlook.

    There is also a very unique message ID at the end of the headers section:

    Message-ID: [E1SSL23ZpEVmkWFBXZG000011b9@E1SSL2]

    Could this be used by the Email provider to find out who sent emails, if the IP address is missing or spoofed?
  • Verifier (Score:3, Informative)

    by N8F8 ( 4562 ) on Wednesday January 07, 2004 @06:42AM (#7901751)
    I did domething similar once. I put a tiny transparent image URL in a letter to try to get the IP address of someone. Then I monitored the server logs where the image was hosted.
  • by etymxris ( 121288 ) on Wednesday January 07, 2004 @06:44AM (#7901759)
    Is it when he offered a "business relation" in exchange for fixing the problem? Or was it when he threatened to disclose the flaw? Or was it merely because he wanted money in return?

    Had he just disclosed the flaw, would he more or less a criminal, ethically and legally speaking? It seems that worse would have come if he had simply published the flaw right away.

    Was he justified in asking for compensation for his findings? If not, this seems to obligate us to "work for free" when discovering such a security problem.

    What do others here think?
    • by Sycraft-fu ( 314770 ) on Wednesday January 07, 2004 @08:03AM (#7902056)
      without their permissions you are a criminal, both legally and morally. My stuff is my stuff and I'll thanky ou to keep your hands off it. If you wish to audit anyhting I have, physical or virtual, you'd better ask my permission first, or you'll face consequences.

      This seems perfectly reasonable and there is plenty of precident in the physical world:

      My house has many known security flaws. The largest would be the windows. They are easily broken with just a rock, allowing access. My door would also be a flaw, it's solid, but nothing a battering ram in experienced hands couldn't break down in a few minutes. My lock is aslo a flaw. IT's better than most, a high security lock that is much harder to pick than normal, but it still is pickable.

      So, if someone breaks into my house and demands money to fix it, should I honour that? No, I'd by perfectly jsutified in holding them at gun point and calling the police to have them punished. Regardless of thier intent, it's MY house and you'd better not enter it without my permission.

      It is similar for computer systems. If I pay you to hack my stuff and report on it, great. YOu are providing a valuable service and I thank you. IF you break into my stuff without my permission, you are a criminal pure and simple.

      Also, demanding money ex post facto is something else we have a law against, it's called balckmail and is illegal.

      Look, if you want to find flaws in stuff, do it legally. Contact the owner and ask if you may hack them. If they say no, move on. IT is not your duty or right ot mess with their stuff without permission.
  • suit talk (Score:5, Insightful)

    by broothal ( 186066 ) <christian@fabel.dk> on Wednesday January 07, 2004 @06:45AM (#7901762) Homepage Journal
    This is just a case of bad journalism. Of course, there are many methods of getting the IP of the receiver of an email The most common is a webbug (a link to an image on a server you control), but that requires for the culprit to use a mail client that renders HTML.

    "Internet Protocol Address Verifyer" sounds like something you'd find in a Movie OS. Of course, like all other buzz words, the name is not related to the alledged function.

    They either used a webbug, og checked the IP in the header of the mail he sent with his claim.
  • Anti-Spam tool? (Score:3, Interesting)

    by toker95 ( 645026 ) <jbtokash@e[ ]hlink.net ['art' in gap]> on Wednesday January 07, 2004 @06:46AM (#7901764)
    Personally, Why isn't technology like this being adapted to fight SPAM. Maybe the FBI is trying to keep tools like this under wraps so they can continue to use it against people, rather than knowledge of its existance being a deterrent... double-edged-sword i guess. I'm honestly curious how serious the extortionists were... The scheme sounds very half-hatched to me...
  • by bwalling ( 195998 ) on Wednesday January 07, 2004 @06:48AM (#7901770) Homepage
    They got a warrant BEFORE they used the program. Whatever the program did - read information from his PC or just return IP address - it was a valid, legal search. We should be considering this a victory for our rights. The only way I can see anyone complaining about this is if the warrant was improperly obtained, but it seems entirely reasonable to "search" the email address that has been attempting blackmail.
  • by Bruce J L ( 693697 ) on Wednesday January 07, 2004 @06:51AM (#7901781)
    They probably just read the mail headers as soon as he replied to the letter they sent him. From this and the time the email was sent they probably had no trouble asking his isp for the user information. Criminals are not always the smartest apples and he probably didnt even have a way to crack the website.

    If he wasnt clueless he would have used a dummy email account and checked it via rental computer or at the very least a dial up account using *69 ( which can still leave your number ) and a prepaid credit card / gift card.

    This guy reminds me of the old irc script kiddies who would do things from their house and wonder how they were tracked down. While anonomyzers are available it makes me wonder if he,

    a. used one
    b. had used a computer before

    As to the FBI ip verifier i find it hard to believe they have anything more advanced then the current jscript / asp / log parsers to pull ip information.

    AFIK the absolute most a email address can yeild is the ip of the server. However with the email headers im sure you can get a ip without too much trouble with a warrant.
  • by Black Parrot ( 19622 ) on Wednesday January 07, 2004 @06:52AM (#7901787)


    Make sure you turn off Message Disposition Notification in your e-mail client.

  • by SomethingOrOther ( 521702 ) on Wednesday January 07, 2004 @06:53AM (#7901792) Homepage

    Internet Protocol Address Verifier? Is this Carnivore in action?"

    That'll be a tiny 1x1 pixel gif embeded in a HTML e-mail called from the feds server.(AKA web bug... You cant turn off HTML in M$ LookOut and this dude dosent sound very clued up)

    Presto, the feds know who opend the mail how long they looked at it etc etc etc.

    A top tip (tm) is to embed a web bug in a job aplication e-mail. Its interseting to watch your aplication being pushed around various departments and see who actually reads it.

  • by katalyst ( 618126 ) on Wednesday January 07, 2004 @06:53AM (#7901793) Homepage
    the Internet Protocol Address verifier get into the hands of the RIAA.. we would not want more 12 yr olds and college students being fined ridiculous amounts, would we? :D
  • What carnivore does. (Score:5, Informative)

    by Chrysophrase ( 621331 ) on Wednesday January 07, 2004 @06:54AM (#7901796) Homepage

    Over here [fbi.gov] there is a Congressional Statement of what Carnivor "officialy" does, or is "allowed" to do. One paragraph of this statement:

    Carnivore is a very effective and discriminating special purpose electronic surveillance system. Carnivore is a filtering tool which the FBI has developed to carefully, precisely, and lawfully conduct electronic surveillance of electronic communications occurring over computer networks. In particular, it enables the FBI, in compliance with the Constitution and the Federal electronic surveillance laws, to properly conduct both full communications' content interceptions and pen register and trap and trace investigations to acquire addressing information.

    gives us the gist of it. So yes this very well be Carnivore in action.

  • by chronus22 ( 645600 ) on Wednesday January 07, 2004 @06:58AM (#7901816)
    This is the first time google [google.com] has heard about it as well, apparently.
  • by Anonymous Coward on Wednesday January 07, 2004 @06:59AM (#7901818)
    I'm much more concerned that their cash registers use WiFi without a lick of encryption... I read several stories a while back about people sitting out in the parking lot with sniffers, capturing credit card information...
    • Uhh... (Score:3, Informative)

      by Anonymous Coward
      Hey dumbass! If you had bothered to do even the simplest of searches, you would find out that Best Buy stopped doing this long ago.
  • by TyrranzzX ( 617713 ) on Wednesday January 07, 2004 @07:09AM (#7901857) Journal
    When you find a bug, no matter how serious with someone's system, publish it. Why do I speak such insanity? I reverse engineer hardware and some software for fun, if I find a bug I'll report it because I'm a nice person and I'd like it to get fixed. I understand that our society works only because the black caps have realized when they found a doomsday bug that implementing it would mean they turn society into hell and they'de be right in the middle of it. I'd like to make a difference and help to defend myself by helping others out, this is how I convince selfish self to help others.

    So, since you don't want to treat me with respect like I treat you with respect, from now on I won't be nice or treat you with respect. I'll publish your flaws for all to see. It can be as big a publication as slashdot or bugtraq, or as small a publication as telling my friends and throwing it up on p2p.

    I guess we'll have to teach them what happens when they treat us with no respect. This is a decision every white cap has to make for themselves.

    I for one, am done playing the part of the nice martyr. The day I get arrested and incarcerated for releasing information I or someone I know researched because someone doesn't like loosing money is the day we no longer live in a free country, and the day I go black cap. Believe me, I don't want it to come to that, I like my steak and potatoes and living in a nice house, but if that's where it's going I am going to defend my hobby.
    • by Sycraft-fu ( 314770 ) on Wednesday January 07, 2004 @08:10AM (#7902074)
      Look, if you have a peice of software and you hack it on your own systems and/or network, that it leagal. You then publish teh exploit, also legal. However if you come and hack MY network without my permission, that's NOT legal.

      People who illegally break into systems deserve no more respect or consideration than people who illegally break into houses. You have no right at all to enter or use other people's property without their permission. Don't pretend like because it is a computer system that makes it any better.

      IT's like lock picking. IF you want to learn to pick a lock and find out its venurabilities, go right ahead. But do it on a lock you own. But the lock in question and play with it. To go to someone else's house and try on their lock without permission is illegal and immoral. You've no right to mess with their property.

      So if you get asked/hired to test someone's security (physical or virtual), great. Do what you can and give them a report. If you have something you own (physical or virtual) and you discover a security flaw, great, make it known so a fix can be developed. But do NOT presume you have the right to invade the property of others. It doesn't matter if it is venurable or not, it's not yours so you keep out.
      • by ratboy666 ( 104074 ) <fred_weigel@ho[ ]il.com ['tma' in gap]> on Wednesday January 07, 2004 @10:26AM (#7902802) Journal
        WTF?!?

        -- You need to think about what "property" is --

        *You* put resources on the Internet. Obviously, for *some* reason.

        Normally, the reason you would do that is to provide some service to users. Usually anonymous, given that this is the Internet, and not your private Intranet. If you want it private, don't put it on the Internet.

        And, in putting in on the Internet, the resource is available for use.

        What you *haven't* done is contracted with *me* as to how to use the service or resource.

        Let's put this in simpler terms -- if you have a 20 dollar bill in your pocket, it's yours. If someone takes it that's probably theft.

        If you put the same bill out in a public place (say, on a public sidewalk) and then go away, and someone takes, it's probably NOT theft.

        When does a resource stop being the "property" of someone? The simplest answer is when they have no control on that resource. Another /may/ be when the police do not need a warrant.

        Currently, legislation is trying to make a distrinction between "authorized" and "unauthorized" use of such a service or resource. "unathorized" if the provider of the resource doesn't like the way its used. [Of course, that's very slippery slope.]

        Ratboy.
  • by peio ( 646164 ) on Wednesday January 07, 2004 @07:13AM (#7901871) Homepage
    Even there may be something that may trace from wich (IP) address an event happened (thou I completely agree with the 1x1 gif idea) . I don't see how it may prove something in court.

    What if the email was send (the smtp server was invoked) from a compromised computer. There are lots of win98 online with hundreds exploits ready waiting for somebody who needs an IP to do something from. What if the person uses a cascade of proxyes and shells.
    I will just mention all the possibilites the iproute2 package gives to move network segments and obscure what is going on.

    We should do everything possible to prevent the court system to take computer generated information (logs) as a reliable evidence, because it may be just the start of the witch hunt...
  • by wathead ( 730323 ) on Wednesday January 07, 2004 @07:19AM (#7901886) Journal
    Anyone that reads 666 otherwise known as the hacker quarterly knows about all the problems in Best Buys network.
    It even goes in depth on how to get into thier private network from a display PC.
    How to find info on hiring and firing people etc.
    How to order stuff and have it sent.
  • by Karl Prince ( 738370 ) <Spammers.get.SLASH.DOT.ted@princeweb.com> on Wednesday January 07, 2004 @07:21AM (#7901896)
    would they have caught him

    and few other ways of hiding yourself, as below

    1. Dedicated firewalled Linux Laptop with WLAN, and changing MAC
    2. WarDrive around for a unsecure internet connection.
    3. Use proxies from unsecured PC's, lists available from DBL providers, or you Email server logs.
    4. Setup up a web mail account, and send business proposal.
    5. WarDrive to other access poiunt for continuing dialog
    6. Travel around a bit to avoid setting a Wardrive pattern

    I would think this would be very difficult to trace without social engineering

    • 1. Dedicated firewalled Linux Laptop with WLAN, and changing MAC
      2. WarDrive around for a unsecure internet connection.
      3. Use proxies from unsecured PC's, lists available from DBL providers, or you Email server logs.
      4. Setup up a web mail account, and send business proposal.
      5. WarDrive to other access poiunt for continuing dialog
      6. Travel around a bit to avoid setting a Wardrive pattern

      That's a good start but if they really wanted they'd still have something to track him down by. First you'd have to

  • by kmeson ( 165278 ) on Wednesday January 07, 2004 @07:38AM (#7901963)
    We are to believe that this guy is savvy enough to spoof his email headers so that his email address can't be traced, but not smart enough to turn off receipt verification and HTML rendering in his email program.

    You have to realize that we are getting our information about this incident from a NEWSPAPER, which the very least reliable source for technical topics. Remember this [slashdot.org] clueless newspaper article?

    I'd say we know little about what actually happened here.

  • by Anonymous Coward on Wednesday January 07, 2004 @07:45AM (#7901997)
    (Somewhat off-topic, but a related topic, honestly)

    About a month ago I discovered what could be deemed a weakness in a relatively popular online merchant's order status system, allowing anyone to view the order status for any order in the system just by changing an ID field in the URL. I often try changing such values in URLs like this for no real reason (a habit from designing my own web-based scripts), and I've never found an exploit until now.

    So with a simple perl script, it would be possible to download and parse the mailing address, shipping address, items ordered, amount paid, credit type (NOT credit card type or credit card number, thankfully) and other assorted information for any given order. After some brief checking, I determined there were over five million orders viewable in this manner, going back a few years.

    So what am I supposed to do? I have no interest in establishing a 'business relationship' with this online merchant, telling everyone how to do it seems like it would cause more harm than good, and I fear being ostracized or even litigated for 'hacking' if I tell the company, even if all I did was change a sequential, non-encrypted number in an URL.

    Or is the information accessible not a big deal to worry about?
    • by silverbax ( 452214 ) on Wednesday January 07, 2004 @08:47AM (#7902238)
      I've actually run into this issue a few times. The action I've taken in the past pretty much directly relates to the severity of the security flaw. For example, I've seen URL hacks which allow you to grab another customer's credit card information, and then some which allow only address information.

      My rule of thumb is that if a piece of information can be obtained and tracked to a specific individual, it's dangerous. That's the rule I use in my work as well.

      When I decide the situation warrants it, I send a professional, formal email to the company ( also the web admin if there is one ), stating what I found, screenshots and leave it at that. Sometimes I will point out that I intended to place an order, but halted when I saw the issue. I also let the company know they may contact me if more information is needed.

      This is what has happened in the past following these emails:

      1. Almost all companies send me an email thanking me and letting me know the problem has been corrected, and it has been. Case closed.

      2. I get a nasty email from the company ( usually this is with SMALL operations) telling me to take my business elsewhere. At first I would attempt to politely explain the risk, but soon realized that some sites have no intention of listening to me, and gave up. In that case, I may notify the BBB or other organization just to get someone else on their tail. I don't have time to chase down other people's security holes, so the best I can hope for is to let others know.

      In any case, I always use the Enron rule: What if I later had to explain my actions to a grand jury?
      • by scrytch ( 9198 ) <chuck@myrealbox.com> on Wednesday January 07, 2004 @09:47AM (#7902556)
        Thankfully, no company has yet exercised option 3: prosecute you for computer crime. It doesn't matter if they don't have a case or what laws are on your side -- they have the money, power, and desire to utterly ruin your life regardless.

        These people market and sell a product they probably know is shoddy. What makes you think they'd have the moral fibre or restraint to refrain from shooting the messenger? You can't trust their software, what makes you think you can trust them?
  • by Anonymous Coward on Wednesday January 07, 2004 @07:48AM (#7902002)
    Imagine his surprise when he received a $2.5 million Best Buy Gift Card in the mail. Doh!
  • HTML bug (Score:5, Interesting)

    by teddlesruss ( 163540 ) <ted AT faroc DOT com DOT au> on Wednesday January 07, 2004 @07:49AM (#7902006) Homepage Journal
    I imagine that yep, this person isn't savvy enough to not use html email, and they slipped a web bug into the email. Hell I'd try it just on the off chance, and it looks like it paid off for your Feds that time...

    I've had one case where a friend and I were writing a boobytrapped shell on a Linux box, to use as the login shell for a suspected system cracker, and he logged in, saw the new shell (which we hadn't quite installed yet) and RAN THE BLOODY THING FOR US! We got all the data we needed to track him down right there and then, phoned his ISP and got him shut off on the spot.

    So - yes, even the more savvy often do really really stupid things...
  • by salesgeek ( 263995 ) on Wednesday January 07, 2004 @09:04AM (#7902321) Homepage
    Here are three ways to get on America's Dumbest:

    1. Rob Taco Bell right after filling out job appication and interview. Be arrested when cops show up at your address on the application.

    2. Send extortion/blackmail emails using MS-Outlook from your normal ISP account. Be busted when FBI sends email using marketing tool like Neighborhood Email or eZine Manager. FBI is too embarassed to admit they used an e-newsletter tool and come up with the "ip address verifier" device.

    3. Shoplift naked. Be arrested when cop identifies the incredibly stupid butcher's meat chart tatoo when streaking through campus on a dare.

    4. Keep crack pipe, crack and lighter in glove box. Be arrested when you see a billboard advising "Drug checkpoint next exit" and begin throwing crack, lighter and pipe out the window while police are video taping looking for people throwing drugs and paraphanellia out the window.
  • Ask the reporter? (Score:5, Informative)

    by Doco ( 53938 ) <Dan@oelk e . c om> on Wednesday January 07, 2004 @10:38AM (#7902884)
    Didn't anyone else think that maybe just asking the reporter would do the trick? His email address is right at the bottom of the article.

    <sarcasm> oh wait - this is slashdot right - only two people actually read the article. </sarcasm>

    I emailed Mr. David Phelps asking what an "Internet Protocol Address Verifier" was and his brief reply was the following.

    "it's commonly referred to as a web bug. i used the term as contained in the government's search warrant."

    So while the theorizing here did come up with that as a possibility - it also came up with lots of other BS.

    Now the bizarre thing is that the feds used such a wierd term. Then again to a judge or lawyer the term "web bug" probably seems pretty bizarre.
  • by puppet10 ( 84610 ) on Wednesday January 07, 2004 @10:42AM (#7902919)
    I bet he was just trying to get his rebate money from them.

Adding features does not necessarily increase functionality -- it just makes the manuals thicker.

Working...