Schneier on Security
A blog covering security and security technology.
« Friday Squid Blogging: Squid Robot |
| Six Years of Patch Tuesdays »
October 19, 2009
Helpful Hint for Fugitives: Don't Update Your Location on Facebook
"Fugitive caught after updating his status on Facebook."
Investigators scoured social networking sites such as Facebook and MySpace but initially could find no trace of him and were unable to pin down his location in Mexico.
Several months later, a secret service agent, Seth Reeg, checked Facebook again and up popped MaxiSopo. His photo showed him partying in front of a backdrop featuring logos of BMW and Courvoisier cognac, sporting a black jacket adorned with a not-so-subtle white lion.
Although Sopo's profile was set to private, his list of friends was not. Scoville started combing through it and was surprised to see that one friend listed an affiliation with the justice department. He sent a message requesting a phone call.
"We figured this was a person we could probably trust to keep our inquiry discreet," Scoville said.
Proving the 2.0 adage that a friend on Facebook is rarely a friend indeed, the former official said he had met Sopo in Cancun's nightclubs a few times, but did not really know him and had no idea he was a fugitive. The official learned where Sopo was living and passed that information back to Scoville, who provided it to Mexican authorities. They arrested Sopo last month.
It's easy to say "so dumb," and it would be true, but what's interesting is how people just don't think through the privacy implications of putting their information on the Internet. Facebook is how we interact with friends, and we think of it in the frame of interacting with friends. We don't think that our employers might be looking -- they're not our friends! -- that the information will be around forever, or that it might be abused. Privacy isn't salient; chatting with friends is.
Posted on October 19, 2009 at 7:55 AM
• 28 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Read the article - the secret service agent had to do some legwork to make this work. Good for him!
Hmm now there's an interesting thought arising...
What if you had a "double" posting for you with their true location...
Let us make an assumption, the mobile malware develops to the point of being able to "bot net" peoples phones.
You could within reason bounce your posts through another persons mobile phone after reading their GPS and looking it up on Google.
You could say "Hey having a great time at the Dog-N-Duck" or whatever social place your chosen "doubles" phone is in / near...
And if you track them and their social group you could post from their phones in turn...
The investigator would surely conclude you where known to the group and probably being sheltered by them.
This could get to be a lot of "fun"...
"Helpful Hint for Fugitives: Don't Update Your Location on Facebook"
Helpful Hint for Fugitives2: Have a 'friend' claiming to have affiliations with the justice department to see if anyone is still trying to find you.
If he was an American, they would not even have had to find a coöperating friend; they could have just subpoenaed the information from Facebook itself.
There are all sorts of ways this can be used. Create an imaginary friend. Stop at a library in St. Louis and update your status that you are heading to visit your friend Bob. Then reply to your status with the imaginary friend Bob's account saying "see you tomorrow!" Then have a made up address in Detroit under Bob's information (perhaps an actually address of a Bob in detroit you found on whitepages.com).
Meanwhile you get in your car and head south instead of north.
I was wondering that myself. Since Facebook is an American company, I wouldn't think it would matter where Sopo was or where he was from. I'm guessing it was just easier to talk to his "friend" that it was to go through the process to get a subpeona.
Who else went straight to Facebook and searched for "Seth Reeg" :-)
"SECRET Service" ?
@: It's easy to say "so dumb," and it would be true, but what's interesting is how people just don't think through the privacy implications of putting their information on the Internet.
One of my best friend's, just in February, used Facebook information in his divorce. His wife made him leave and changed the locks, and she was trying to leverage for as much money and assets as possible (we know this can get nasty). She removed my friend from her Facebook, yet didn't realize she had her information set to "Friends of Friends" on who can view, and they still had mutual friends.
She denied there was someone else fearing it may hurt her case for money, yet he had her Facebook statuses where her new boyfriend moved in just days after she kicked her husband out, where they celebrated their 2 or 3 "month anniversary" a month after her husband was kicked out, etc. There was messages with friends where she said her husband was good to her, she just fell for another guy, etc. It also proved her trips to see her sick father before the separation were really getaways with the boyfriend.
I still find it amazing how people suffer a mental block when using computers. Otherwise intelligent people create a paper trail (or should I say paperless trail) of things they don't want others to know.
"Helpful Hint for Fugitives2: Have a 'friend' claiming to have affiliations with the justice department to see if anyone is still trying to find you."
Right - because you can't get in trouble for impersonating a federal officer. Oh, wait...
Based on your frequent dealings with TSA and past comments, I'd love you to address the commentary in Randall Munroe's most recent comic. It is around the idea of using laptop batteries as a bomb. Which is weird because water in bottles can easily be opened right there and drank in front of employees to prove that it is safe.
I often found this policy very inconsistent in my past as well.
@dylan38: "Right - because you can't get in trouble for impersonating a federal officer. Oh, wait..."
If it is the fugitive posing as one of his own friends to see if he is on the radar, he probably wouldn't be worried about it. After all, he's already a fugitive.
Social Media isn't the only place you have to be careful...
Jake: How are you gonna get the band back together, Mr. Hot Rodder? Those cops have your name, your address...
Elwood: They don't have my address. I falsified my renewal. I put down 1060 West Addison.
Jake: 1060 West Addison? That's Wrigley Field.
@gonzo: What confused me the most about this is that the banning of water happened about the same time there were those spontaneously combusting batteries.
This is very humorous. Every user should be aware that being solialized means being publicized, and searchable.
More in the webcomic vein (this time "lead pipe cryptanalysis"):
(Is there a "things Bruce might find interesting/amusing" link on the site? I didn't see one other than posting a comment to an existing article...)
I think it's interesting that the leak hinged on the guy trusting random strangers to keep his secrets. Granted, he was giving away more than he thought in Facebook posts, and the fact that Facebook was leaking contact information was an important consideration he very foolishly overlooked, but his belief that the 'private' flag on Facebook was at least semi-private was apparently true -- someone inside the privacy wall had to turn on him.
Sorry, Bruce, but your headline is misleading. The original article headline said he updated his status ("HERE TO HAVE FUN PARTEEEEEEE"), not his location. However, that headline was also misleading. The article indicates that they already knew he was in Mexico, and his Facebook status apparently didn't give them more than that.
The key to his downfall was that he used his real name. That provided a starting point to look for IP addresses, friends, or whatever else. (First rule of staying under the radar: stay under the radar!) Posting a comment on your blog could have exposed him too. :-)
Having said that, your point is exactly right: "Privacy isn't salient; chatting with friends is."
"Privacy isn't salient"? I had to look up the meaning of salient, and I cannot resist saying: "that word, I do not think it means what you think it means". Or am I missing something (probably something really big :-) ?
I bet this assistant US attorney Scoville's unit laid some heat upon that guy.
@pfogg: "Facebook was leaking contact information was an important consideration he very foolishly overlooked, but his belief that the 'private' flag on Facebook was at least semi-private was apparently true -- someone inside the privacy wall had to turn on him."
That really isn't new, it just looks that way based on technology. The authorities have always solicited friends, neighbors, etc, to give up information on someone they were pursuing. This includes any conversations (and possibly phone numbers) or post marks on mail.
Also, don't send myspace messages to family members while on the lam in Mexico, as Cpl. Cesar Laurean was caught this way back in 2008.
Lawyers are using facebook friends lists to track down subpoena targets.
@Andrew: "Lawyers are using facebook friends lists to track down subpoena targets."
Not surprising. They still would have to go through due process and present a case for the subpeona, but it's nothing new. If a Facebook status indicates Bob was staying with Fred in Detroit during the time of a crime, Bob would likely be asked to confirm or refute the claim. I doubt they would pursue a subpeona just because someone was on their friends list, and doubt even more it would stick if they did.
Come on people... get real. The simple truth of the matter is that sopo is typically stupid. A trait generally displayed by his kind. There are so many ways to get around being tracked through facebook it's unreal. If someone is stupid enough to actually use their real name and post their real picture, then they deserve getting caught! End of story.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.