Bizarre High-Tech Kidnapping

This is a story of a very high-tech kidnapping:

FBI court filings unsealed last week showed how Denise Huskins' kidnappers used anonymous remailers, image sharing sites, Tor, and other people's Wi-Fi to communicate with the police and the media, scrupulously scrubbing meta data from photos before sending. They tried to use computer spyware and a DropCam to monitor the aftermath of the abduction and had a Parrot radio-controlled drone standing by to pick up the ransom by remote control.

The story also demonstrates just how effective the FBI is tracing cell phone usage these days. They had a blocked call from the kidnappers to the victim's cell phone. First they used a search warrant to AT&T to get the actual calling number. After learning that it was an AT&T prepaid Tracfone, they called AT&T to find out where the burner was bought, what the serial numbers were, and the location where the calls were made from.

The FBI reached out to Tracfone, which was able to tell the agents that the phone was purchased from a Target store in Pleasant Hill on March 2 at 5:39 pm. Target provided the bureau with a surveillance-cam photo of the buyer: a white male with dark hair and medium build. AT&T turned over records showing the phone had been used within 650 feet of a cell site in South Lake Tahoe.

Here's the criminal complaint. It borders on surreal. Were it an episode of CSI:Cyber, you would never believe it.

Posted on July 29, 2015 at 6:34 AM • 48 Comments

Comments

ChrisJuly 29, 2015 7:10 AM

This affects me personally. Well... it means that when my coworkers and I play the "how to get away with a crime" game over lunch, it just got a lot harder!

ValensTJuly 29, 2015 8:26 AM

> "Target provided the bureau with a surveillance-cam photo of the buyer.."

Quite surprising that retailers can so easily correlate the purchase of a cheap, throwaway cellfone with store video of the actual consumer purchase of that trivial item.

The US government already collects all credit-card transaction data -- now seems they can partially track cash purchases. Apparently major retailers maintain a broad database of electronic checkout-counter data (barcode scans, cash register entries, etc) correlated with the normal overhead security camera time stamps.

Some retail stores are likely tracking/storing/analyzing every movement & purchase of every person in their store (including employees).

U are being watched !

YetJuly 29, 2015 8:28 AM

Oh now this is just a fun read. I can only imagine the reactions the cops had as they were investigating it.

Count 0July 29, 2015 9:15 AM

Never underestimate Target (or other retailers) when it comes to surveillance. They have a huge economic incentive to get it right and they spend a lot of money to get it right. For this though, all they needed was the time and location of the purchase which is a pretty easy search because they track the serial numbers of the phones and attach them to the purchase. You didn't really think these were anonymous, did you? Once you know that, you just need to go back to your stored video archive and look at the camera that covers that register for that time, again very easy to do. The ONLY limiting factor here in any real sense is how long you can keep your video. Video files are large but storage only gets cheaper so keeping several months or a years worth is not all that expensive anymore. And it only keeps getting cheaper and easier for them to store more. I'm sure they are also working of facial recognition so they can correlate you the shopper with all the purchases you make even if you do use cash. I'm going to guess they can't quite do that yet though, because if they could they would have known this guys name already from his existing credit card purchases even though I assume he paid cash for the phone.

Your best bet is to buy a burner for cash from some small shop that can't afford to keep its video for long and wait until you're pretty sure they don't have you buying it anymore. To be safe, I'd wait at least a year.

GeorgeJuly 29, 2015 9:34 AM

One of the things-I-didn't-know (long list) discoveries after the Target breach was that the retailer is considered a state-of-the art forensics leader and operates multiple labs that provide extensive assistance and training to law enforcement. It's not at all surprising to me that their video surveillance systems and cash registers have synchronized clocks.

parkrrrrJuly 29, 2015 9:50 AM

There's a reason most of it seems pretty fantastic: it is. All of the cloak-and-dagger stuff is in the emails sent by the perpetrator to the journalist, and it seems likely that most of it is complete fabrication by someone who has watched too much television and who thinks rather more highly of himself and his technical skills than is warranted.

Wait, whatJuly 29, 2015 10:04 AM

@ValensT

Wait, what. This is news to you?

@Bruce. Well, there are two ways to look at this. One way to look at this is to say that the criminals had a bizarre plot. Another way to look at this is to see just how powerful the surveillance state has become and that despite extraordinary efforts they still got caught. "Maximally easy" for law enforcement by definition means maximally difficult for criminals. Maybe...just maybe...in a sane world this is a crime they should have been able to get away with.

Sometimes I wonder what we would think of our ancestors if we would be able to see footage from a hidden camera following them around during the days of the old West.

SeanJuly 29, 2015 10:24 AM

@ValensT:

> Quite surprising that retailers can so easily correlate the purchase of a cheap, throwaway cellfone with store video of the actual consumer purchase of that trivial item.

Any video surveillance system that's not absolute garbage can easily pull up a certain date/time. Combine that with the fact that prepaid cell phones are usually activated at purchase (providing an exact time) and there's no reason to be surprised at all.

MichaelJuly 29, 2015 10:34 AM

I think the most valuable fact in this story is that the FBI didn't query it's own personal massive database to obtain all this information. They had to issue a search warrant to AT&T to get information like the phone number of the anonymous caller. Then they also had to hop over to Target who then had to review surveillance footage to obtain a description of the kidnapper.

This is exactly how things should be. It seems that the FBI managed to act in a timely manner, but it had to go through the proper channels to obtain the information they needed for this case. The lesson is that data collected about us needs to be decentralized and scattered about. The government and law enforcement need the power to collect information for an investigation, but only then.

I don't mind having some personal photos uploaded on one service, email on another service, retail purchases here, banking there. The problem is when all of this information gets collected by a single organization like the NSA, Google, or Facebook. That's where the real problem lies and that needs to be stopped.


On a different note, what is so difficult about paying somebody off the street to walk into a store and purchase a burner phone for you? Given the lengths the kidnapper(s) took to hide their tracks, it seems foolish they didn't take this one extra precaution.

rgaffJuly 29, 2015 10:44 AM

So that's what "parallel reconstruction" looks like... I wonder how they really found them!

Nicholas weaverJuly 29, 2015 10:45 AM

The problem is with the cloak and dagger stuff is it matches the evidence!

For example, the kidnappers identified the grow room to Vallejo PD (although no indication if Vallejo PD raided it), noted that they had marked the top of the victim's Camry with tape to facilitate tracking from their drone (true), the story of the stolen Mustang (which the one suspect was caught in!), admitting to particular crimes around Vallejo, photographs of the WiFi kit in people's houses, photographs of the equipment used, etc etc etc.

That is why I'm inclined to generally believe most of the Kidnapper's email: portions of the story are confirmable, and its really hard to mix lies with truth in such a way that the lies can't be verified but the truth can.

However, I'm also pretty certain that the author of the email is not the arrested suspect: anyone who drops "egotistical giraffe" amongst the "onions within onions" email missive is not the kind of person who uses a burner phone from his house.

LvBJuly 29, 2015 11:04 AM

creepy.

and after this we will probably have copycats. Considering the differences in wealth between people it would not surprise me if a group of people who make, say, $40K per year would find it worthwhile to create an elaborate plan to kidnap some millionaire.

although I am surprised that the store surveillance videos & phone carrier data systems were already not connected directly to The Government? ;-)


GweihirJuly 29, 2015 11:18 AM

Well, first the time-sync is really simple unless you require millisecond or better precision: Turn on NTP. That is just sound system administration. And both a doubtless TCP/IP connected surveillance camera and a cash-register with the same connectivity need reasonably accurate time to be useful. So that one is a no-brainer.

@Nicholas weaver: I completely agree on the email/phone question. Burner phones only protect you from having your name directly tied to the phone. They do not protect you in any way against having the location of a call being identified (rather obviously to anybody with at least some tech knowledge) and apparently, if you buy carelessly, they do not even protect you from having your picture taken when buying. The person using the burner at home is somebody that does not have any insight into how tech works, but instead somebody that associated "burner-phone = secure" without taking the actual situation into account in any way.

On the other hand, while it is hard to mix lies and truth convincingly, it gets a lot easier if you a) are prepared to do it b) have experience with it and c) get cooperation from some of the accused. Just make it clear to them they are screwed, but dangle some carrot in front of them. So I am not convinced this cannot be partially fake. Especially the FBI may be very, very interested in doing convincing partial fakes.

SamJuly 29, 2015 11:47 AM

The email uses the term "reverse Stockholm Syndrome" a bunch of times, in relation to a kidnapper becoming attached to the kidnapped victim.

I'm calling BS on that. The kidnapper isn't afflicted by some new psychological condition - that sensation is *basic empathy* - and maybe they should have exercised a bit more of it before they broke were at the stage of dragging people out of their beds at 2AM with stun guns, laser pointers and strobe lights.

bogoradJuly 29, 2015 12:12 PM

Why not get a foreign roaming-enabled SIM card off e-bay, and use a cheap dial-through service, paid with a pre-paid gift card? :)

(no links provided intentionally)

????July 29, 2015 1:20 PM

@bogorad

The problem is the physical delivery of the card. It used to be that (at least in America) one could get UPS or Fed Ex to deliver the package to a different address than the one on the mailing label in real time but they have stopped this practice because there was huge problem with laptop fraud. So the only real options are to find a "dead house" (house where mail is still being delivered but no one actually lives there anymore) or to find someone to take the mail for you at a different address.

On balance, it's easier to go to a poor section of town and offer some kid $20 to buy the phone for you or go to the store in a disguise. Pulled tight around one's face, hoodies are great for that purpose. Simple, cheap, effective.

http://www.foxnews.com/politics/2015/01/05/oklahoma-lawmaker-wants-to-ban-hoodies-in-public/

Is actually an intelligent proposal even if it isn't practical.

If one is genuinely at a loss for other options (in the USA) go to a store on Halloween in a Halloween costume and buy your burner phone then. If you want an especial touch of irony, dress as a pirate :-)))


parkrrrrJuly 29, 2015 2:05 PM

While it's true that they had marked the top of the Mustang with tape, there's no corroboration that they indeed tracked it with their drone, or that they even had a drone to track it with. Why would they need to track the car anyway? They were driving it. Looks good in an action movie, though, so toss it in there.

There doesn't appear to be any corroboration of anything that hadn't already been reported, so while it's clear that they did indeed engage in burglary, it's not at all clear that they were anywhere near as good at it as they claim. They claim to have drilled a hole in the glass of a window to gain entry, then to have deliberately created signs of forced entry at another window - why? What possible purpose does that serve? It wasn't to avoid waking the victims - drilling glass isn't quiet.

They claim that all of their connections were heavily anonymized and required physical access to trace back, but as far as I can tell no attempt was made to trace their connections beyond analyzing the headers of the emails, so maybe that's true and maybe it isn't.

They claim to have had all sorts of sophisticated software and hardware to ensure compliance, but none of the verified parts worked, and none of the rest of it has been verified in any way. (And the chain of events that led to their inability to use, for example, the IP camera is ludicrous: the guy didn't know his wifi password, the factory reset button somehow didn't work, AND your backup router was broken en route? Sure. Admit it - you bought a cheap camera somewhere and used it to intimidate the victim, but never had any intention of hooking it up or checking on it. But "we is 1337 hax0rs" sounds cooler than "we're barely capable of intimidating the guy into waiting even an hour before the cops are called" in the account that you're hoping to see published far and wide.

They're supposed to be amazingly good at undetectable B&E and surveillance, they've thought everything through, but they take the victim to the home of one of the perps rather than helping themselves to some vacant house somewhere for a couple days.

Frankly, the whole story reads like it was significantly enhanced by a few bong hits. All it needs is some kung-fu.

On a completely different subject, though, I have to say I hope I'm never the victim of a crime like this, if for no other reason than that the FBI's redaction of victims' and potential victims' names was ridiculously sloppy - the intended victim is named at least once in one of the emails, and all of the victims are named in Attachment B.

EricJuly 29, 2015 2:08 PM

What are the lessons learned?

Each time a politician or LE agent complains about Tor being the perfect tool for criminals, laugh at them very hard.

This case shows once more that Tor doesn't protect you if you want to be a criminal. Over time you make at least one mistake that unmasks you.

Anonymity and privacy don't prevent the fight against crime. Targeted investigation is still possible. It may be more difficult, but that's the price we have to pay for a free and democratic society.

If we want to make it as easy as possible for LEA, we should abolish courts and judges, attorneys and all restrictions on LEA that still exist. As a bonus, we should allow police to shoot at suspects. That would even reduce cost of jailing people. OK, I'm getting sarcastic. Oh wait, shooting people in the street is already en vogue these days.

realityizerJuly 29, 2015 2:36 PM

The fact that Tracfone+Target can trace back a phone purchase is mildly surprising not because it's technically impressive, but because the only way that would be possible is if their record-keeping systems were specifically designed to handle such use case.

I mean, if you bought a coffee maker and someone asked its manufacture when it was bought, they would probably have no idea. They might not even know which store it was in (because they sell to the entire chain).

Remember, phone activation is not done at the time of the phone purchase. All they do is scan a barcode, which usually contains only the type of product.

rgaffJuly 29, 2015 2:59 PM

@ realityizer Like I said: now that we know the parallel reconstruction version, it would be interesting to hear the real one. Translation: Now that we know what lies they've told the courts, let's hear what still-really-secret-even-post-snowden surveillance they do to so-called "burner phones" and other electronic gear used...

Another way to put it... did they really buy a "TracPhone" as a "burner phone"?? TRAC.... PHONE??? really??? It openly screams "hey, we're big brother, we TRAC you" right in the name of the phone for heaven's sake!!! This kind of obviousness is supposed to be in the movies, not in real life. It's supposed to be ignored by the characters but obvious to the audience.

C.S.July 29, 2015 3:24 PM

realityizer, most brands of prepaid phones are locked from activation until purchased at the register due to theft. The bottom of the carton has a unique barcode for every phone.

FanOBruceJuly 29, 2015 3:38 PM

TRACphone...that's rich. Soon there will be the Orwelliam NoTRACphone. Sounds like some punk kids who were quite lucky not to get finito.

^@July 29, 2015 4:04 PM

@Sam
you are absolutely correct on that "basic empathy" part. Besides if this is about a dude having feelings for a girl, it's not a "syndrome" or otherwise its one that a large percentage of mankind "suffers" from, at least occasionally;-P

Richard KarashJuly 29, 2015 4:31 PM

Thanks for the comments and link. The court document is amazing, reads like a novel.

QundoJuly 29, 2015 4:33 PM

So many comments and so little people seem to actually have read the criminal complaint.

Did anyone here actually read the criminal complaint mentioning that Muller lost his phone during one of his robberies, the FBI could read the IMEI number of this phone and find an address related to him thanks to VERIZON and link Muller to that address thanks to the ACCURINT database??


"On June 5, a second home invasion unfolded in Dublin, California, just east of San Francisco. Once again, a man and a woman were targeted. They fought back and drove the masked assailant away, and in his rush to escape he left behind a different cell phone that was registered to an address in nearby Orangeville, California. The police arrested the owner, Matthew Muller, a 38-year-old recently disbarred lawyer.

27. "Cell phone was located on top of a cabinet in the second floor hallway. According to the victims, the cell phone did not belong to anyone in the residence and was not there before the went to sleep. After the cell phone was recovered, it was determined that the phone was locked by means of a screen pattern-lock and no information could be recovered from physical examination of the phone."
28." One June 5, detectives obtained a search warrant for the cell phone, a SAMSUNG Galaxy Note 4 (IMEI#990004824579217), which was faxed to VERIZON WIRELESS who latter provided that the subscriber of the phone was a person who lived at 5300 Mississippi Bar Drive, in Orangevale, California. The search through ACCURINT (law enforcement database) showed that MATTHEW MULLER was associated with the Orangevale address. On June 26, 2015 a review of the still photos obtained from the TARGET retail store in Pleasant Hill, California, that depicted a white athletic male purchasing the aforementioned TRACPHONE that had been used to attempt to contact VICTIM M, is also consistent with the physical description of MULLER."

tyrJuly 29, 2015 5:04 PM


The bizarre part was accurate, I didn't see the
hi-tech part. Did Bruce submit a failed movie
plot contest entry to Wired ?

It does fit together nicely though this area is
full of dumbass wannabees who think they are living
in an action movie. Vallejo PD has had a reputation
as loserdom for at least 40 years which I'm glad
to see they have upheld with alacrity. I read the
comments here first and there are some gems, the
glass drill story is one...LOL I'd imagine the signs
of forced entry were to bash in a window with a
sledgehammer so no one would see the other drill
hole.
The Old west is still around and the amount of
boredom encountered in following those folks around
boggles the mind. There were a few exciting episodes
but they were talked about for years to relieve the
tedium of daily life. Modern lives are mostly commutes
and the old west was mostly riding and fixing fences
with a semi-annual trip to the whorehouse where all of
your pay was wasted in a single incident.Going outlaw
meant everybody got excited and tried to catch and
kill you to allieviate their boredom. The rest was
like watching paint dry for amusement. Except for the
hard work part.
Mare Island is quite a site, I knew the contractor who
was tasked with removing the lead sheathed cables that
ran all over the place on the base. It probably has all
of the industrial contaminants ever invented on it after
years of being a functional shipyard. It was also the
west coast crypto school site, lovely if you like the
concrete bunker with no windows architectural style.

meJuly 29, 2015 5:11 PM

Good old Tracfone-and-Target. Where the phone is ridiculously underpriced, and the cashier practically gives it a massage as she's ringing it up, and then carefully studies the receipt before handing it to you, and it triggers the exit alarms, but the employees say "it's ok, go through, go through" when you walk back in with it.
What could a dishonest Target employee do with this information, or with affixing or de-deactivating a tracker?

Clive RobinsonJuly 29, 2015 6:07 PM

With regards obtaining and using "burner phones"...

Obviously buying anything "new" is a significant risk and has been in the UK for well over a decade, even in corner shops they remember you for various reasons.

Which is perhaps why criminals in London are involved with stolen phones and second hand phone booths attached to other business premises such as butchers, fishmongers, corner shops and even tattoo parlors. With the exception of the latter the majority are first/second generation "Middle East, Asian and African" run shops.

There is also the "recondition / repair" market, manufacturers rarely repair phones these days even under warrenty, they just "change the guts" which along with the market created by the WEEE directives in Europe means you can "make your own phone".

And as, has been mentioned on this blog befor certain brands of phone can also with an appropriate piece of software have all their electronic serial numbers changed.

Further a true "burner" has just like the OTP KeyMat a golden rule "use once only then destroy and dispose of cleanly".

More correctly, you have several wiped phones that have "hands free" and no conection to you, you always keep them in a plastic bag and wear gloves when handeling. You don't ever turn them on untill the use once time and you do it from some considerable distance away from your normal area of operations. Further you make sure you have no other electronics with you on the journy there and back, including no credit/debit cards, travel cards work cards passports or anything else that might have RFID or NFC in them. Also make sure the route you take does not have CCTV etc, and don't travel on public transport or taxi, and not in/on a vehical with registration plates. So being fit and walking or riding a cheep throw away second hand push bike is one way. Thus when you get to your chosen spot, put the SIM in, put the battery in, don't put the phone against your ear or speak onto it make the call keep it under a minute, take out the battery then the SIM and get away from the area quickly. Then break the phone and it's charger down into bits put them in strong house hold bleach for half an hour or so then soak it in an "appropriate" highly flamable solvent for an hour or so. You then do what Boy Scouts were told to do years ago of "Burn Bash and Bury". Get one of those cheap BBQ starter tubes put coals in add the solvent soaked bits and carefully light, as the flames die down add a few more coals on top and blow air in so the coals burn brightly let it all burn down to "white ashes". Having "burned your burner" hammer any bits down and dispose of the ashes and hamner carefully. If you don't want to risk the fire, then after soaking in solvent let it evaparate off the bits and then drop them over a bridge into a river etc.

If this sounds like a lot of trouble, just remember "crimes against the person" like kidnapping get treated very harshly if you get caught, and due to the publicity that will follow the authorities will put in a significantly disproportionate amount of effort to catch and convict, more so than for murder... because rich people have contacts in high places and they will use them one way or another and thus it will get in the news. Thus kidnapping due to the press involvment is very much a game of politics and "justice being seen to be done" at "no expense spared".

Thirty to life, is plenty of time to consider that you did not put in sufficient effort to not make the one mistake that got you caught or grassed up by one of your co-conspirators. Personaly I think people would be mad to consider kidnapping and ransoming a person in a first world WASP country, the comparatively small monetary gain --if you can get it-- is not worth the risk involved.

AnuraJuly 29, 2015 7:12 PM

I would think the easiest way to make an anonymous call would be Tor + Public WiFi + Stolen VOIP credentials. Although, it is less convenient than a burner, and there is always the risk that your laptop is infected with something that allows you to be identified or tracked.

JimJuly 29, 2015 9:28 PM

Seems closer to season 3 of The Wire (2004). The drug dealers use prepaid cell phones, for which they hire a driver to go long distances to purchase. The detectives pick up the discarded phones, take the serial numbers, and get the phone company to disclose where those phones were sold. They go to one of the stores and get surveillance camera footage of the driver picking them up.

ianfJuly 30, 2015 8:31 AM


@Jim > closer to season 3 of The Wire (2004)

That's not how McNulty et al tied the burner phones (both discarded, found units & such confiscated during street round-ups) to the gangsters. Rather, the small-fry Barksdale accomplice tasked with purchasing them piecemeal (or no more than 2 units at a time) way off from the city, took his girlfriend along for the ride. After a number of gas station and convenience store stops, she got tired of it, started bitching, demanding they go eat now (Wikipedia claims oral sex was on offer, but I averted my eyes) and that nobody will check the receipts that the BF dutifully collected anyway (she was right about that, bad OPSEC followup there). That's when the driver bought 8 units over the same counter, which made him highly memorable to the seller (and, of course, created a lasting, easy to retrieve mark in the cash register when the police came calling). So the main risk factor here was a bitchy, hungry GF riding shotgun (it's been a while since I last saw #s03ep07 of The Wire, but this particular detail has lingered in my bio-RAM).

WmJuly 30, 2015 9:06 AM

There is an easy way around this photo surveillance. Just ask the 'Geezer Bandit' bank robber, who robbed 16+ banks in California, how. He has not been caught. He doesn't seem to know that it is against the law to wear a disguise in California.

DavidTCJuly 30, 2015 11:00 AM

Yes, Clive Robinson, everyone should be sure not to get their fingerprints or DNA on a phone *they're going to burn to ash and then hammer to pieces*. No one will ever notice your weird behavior there!

Also, be sure not to carry anything with RFID or NFC, because, uh, magic.

And be sure to bike around or drive around without plates, that *never* calls attention to yourself.

Or, instead, you can be less crazy, and simply figure out a place there aren't any cameras, leave your existing phone and anything with GPS behind so it can't be tracked, drive there without doing something stupid like buying gas, then use the phone, disconnect the battery, and walk away.

How do you safely get rid of the phone? Easy. Before all that you put in your car a large plastic soda cup from a fast food place (Which you ran through the dishwasher to get rid of fingerprints) that you mostly filled with Mountain Dew. You then put the phone inside that, and...throw it away in some public trash can that isn't being watched by a camera. (Much harder to notice than someone apparently throwing a perfectly good phone away, and it destroys any DNA.)

Alternately, if you *are* going to work hard keeping your DNA off the phone, why the *hell* do you want to destroy it, or even take it with you? Just leave it sitting there! 'Let me carry away this evidence that is only incriminating if it's found being carried by me.'

ianfJuly 30, 2015 11:47 AM

@rgaff: hoodies #FUGGEDABOUTIT for obfuscation of identity when up to no good. They are props used by bad screenwriters to underline imaginary criminals' need to shield their visage (above: Bruno, who just shot a secret policewoman inside a van; from "Tell No One," 2006. Think this makes him less conspicuous on a busy Paris street?)

Instead, use Elmore Leonard's 10 Rules for (Criminal) Success and Happiness, a.k.a. Ryan's Rules:

Rule 4. Dress well. Never look suspicious or like a bum.

(rules for armed robbery with one partner, but applicable @ large)

U.B.July 30, 2015 4:23 PM

Found the parts about operating the auto theft ring particularly instructive. May explain why our neighborhood gets so darn many vehicle recoveries. Too involved to figure out whether LoJack is installed, so the stolen cars are just parked somewhere to cool off. If they're not recovered after what seems a safe period, then it's ok to go back and get them. In our neighborhood, we kick up a stink right away. No longer safe to dump them on us. If it's sitting out front with paper plates, I'm going to inquire on Nextdoor if it belongs to anyone's guest and then I'm calling the city's number. They're usually pretty quick.

SchneieronSecurityFanJuly 30, 2015 4:25 PM

I don't necessarily think that the Mare Island case shows cutting edge investigative techniques that were used by the various law enforcement agencies.


Case in point: The fast food strip-search caller hoax was a series of telephone calls placed to primarily fast food restaurants from the mid 1990s until April 2004. A caller to a fast food restaurant would pretend to be some type of authority figure and instruct an employee or employees to strip-search other employees in order to supposedly further a criminal investigation. This hoax came to national attention when an employee at a McDonalds restaurant in April 2004 was stripped for hours by a manager and others.

By then, multiple agencies had been working on the case. Some agencies had entered *69 on the phones receiving the hoax calls. The stated telephone numbers were traced to pay telephones in the Panama City, Florida area. Other agencies had determined that the hoax call was paid for by using a pre-paid phone card.

As I understand it, the search then moved next to local Wal-Mart stores. (Whether the phone card company was contacted initially or the searchers decided to start at Wal-Mart isn't clear.) But with the calling card purchase data (calling card number, time/date of purchase, etc.(?)) the police were then able to approach Wal-Mart with the information.

Note: By 2000, Wal-Mart at its headquarters in Arkansas had the capability to monitor transactions down to an individual register. (Eventually, Wal-Mart will let its suppliers have access to this data.)

Police were able to see the video of the calling card and the buyer at the point-of-purchase. The buyer was wearing a uniform that was linked to a contracting company at a local jail. Upon seeing the video, the warden of the jail identified the card's buyer.

The guard was found not guilty at trial, however.

http://archive.courier-journal.com/article/20051009/NEWS01/510090392/A-hoax-most-cruel-Caller-coaxed-McDonald-s-managers-into-strip-searching-worker

Look at pages 10 through 12.

The writing above doesn't even mention any credit or debit card information as a means of purchase.


The Mare Island case just linked up the unique data that was searchable into the next domain all the way to its goal.

The phone was not activated at the time of purchase according to the indictment.

Clive RobinsonJuly 30, 2015 5:21 PM

@ DavidTC,

Hmm where I'm from a bike has neither plates or a motor and you don't drive them, those that do we call motorbikes.

With regards RFID and NFC cards, no magic, they can be read at a distance by a coil in a doorframe etc. In the UK we had the issue with compulsory ID cards, with large fines if you did not carry one. Research was done to see just how far you could reliably read one and "near field" is a lot bigger than you think. With the banks now putting authorisationless transactions on NFC cards in the UK, crooks are apparently already "skiming" them. Although it's a small risk kidnapping for worthwhile ransom is 30 to life with a guaranteed no stone unturned manhunt. So why take even a small risk that's easy to avoid if you don't need to?

As for this "Mountine Dew" stuff I can not say I've come across it, from what you say of it's abilities to remove fingerprints and destroy DNA it must be a mix of battery acid and biological laundry powder. Oddly a quick google suggests it's a beverage, thus I have my doubts about it's DNA destroying abilities, and likewise it's ability to remove fingerprints... but that's not my worry I'll stick with what has been shown to work reliably.

As for the "burn bash and bury" I don't know where you live but using a BBQ pit, draws little attention around where I live. But it's not for getting rid of just fingerprints and DNA, if you think about it I'm sure the penny will drop.

As for leaving the phone in one piece in the rubbish or at the location you used it, phones have value and they don't bio-degrade or corrode away in the average span of a human life, and items with value have a very bad habit of turning up. It's a trade in risks with dump / leave it or take it away. I'd personally put the take it away and securely destroy as being the lower of the two risks over a life time. However if you think your way of doing it, is OK don't let me discorage you, it's your life your risk as they say, just enjoy it and don't do anything naughty you might spend the rest of it regretting.

fsdJuly 31, 2015 2:51 AM

"kidnappers used anonymous remailers, image sharing sites, Tor, and other people's Wi-Fi to communicate with the police and the media, scrupulously scrubbing meta data from photos before sending."
So, I understand its preparation before US LEAs will ban this tool in USA and western europe?

G-ManJuly 31, 2015 7:59 AM

tangentially related...

Man shoots down drone hovering over house
http://www.cnet.com/news/man-shoots-down-drone-hovering-over-house/
Then the drone's owners come calling.

Merideth, 47, lives in Hillview, Kentucky. As WDRB-TV reports, a neighbor heard gunshots and called the police. Merideth allegedly told the police that a drone was hovering over his house, where his teen daughter (he has two) was sunbathing. So he pulled out his gun and gave it a merry death.
The drone's owner, police say, said he was flying it to take pictures of a neighboring house.
However, Merideth told WRDB: "Well, I came out and it was down by the neighbor's house, about 10 feet off the ground, looking under their canopy that they've got under their back yard. I went and got my shotgun and I said, 'I'm not going to do anything unless it's directly over my property.'"
He says that shortly after the shooting, he received a visit from four men who claimed to be responsible for the drone and explaining that it cost $1,800.
Merideth says he stood his ground: "I had my 40 mm Glock on me and they started toward me and I told them, 'If you cross my sidewalk, there's gonna be another shooting.'"
There appears not to have been another shooting. However, Merideth was arrested for wanton endangerment and criminal mischief. There is, apparently, a local ordinance that says you can't shoot a gun off in the city, but the police charged him under a Kentucky Revised Statute.
For his part, Merideth says he will sue the drone's owners. He told WRDB: "You know, when you're in your own property, within a six-foot privacy fence, you have the expectation of privacy. We don't know if he was looking at the girls. We don't know if he was looking for something to steal. To me, it was the same as trespassing."

Slime Mold with MustardJuly 31, 2015 9:57 AM

@ G-Man
"I had my 40 mm Glock on me..." I Didn't even know Glock made a 40 millimeter, but if they do I want one for taking down AH-64 Apaches ; )

RE: Trac Phones

I purchase these often (see below). The package includes an RFID chip about two cm across glued very firmly under a paper tag. It is the largest I have ever seen on a commercial product and seems excessive.

'Burner' phones are very handy for limiting who can bother you, and when. I label mine with a code name relating to the issue the phone is for.

me@me.comJuly 31, 2015 11:50 PM

Bruce, I don't know if there'd be a way to just show the first sentence of a comment & have the rest be expandable, but it would make sharing space here a little more pleasant.

sommyAugust 1, 2015 1:47 AM

Regarding the burner phone issue. If you read the article you will see that he didn't use the burner phone in his house, just in the same town. Maybe in the FBI's document there are more details if someone read it. But according to the article he didn't use the burner from his house and therefore wasn't caught.

He was only busted when he tried to do another crime and left in the new crime scene his real registered phone.

So generally speaking his OPSEC in the first crime was not bad. His only mistakes were using a burner bought less than 30 days ago in a huge retail network without a proper disguise and to some lesser extent using it in the medium size town where he lived in sometimes.

RogerAugust 13, 2015 11:31 AM

I was going to make a bunch of comments, but I see that parkrrrr has already covered a few of them. Here's a few more though:


  1. In what follows, I will assume that Muller is indeed both the email writer and one of the kidnappers. There seems to be clear evidence that the email writer either was one of the kidnappers, or at least had access to them. The case against Muller also seems pretty strong, but it isn't yet proven. It will certainly serve as a working hypothesis; but if you want to think of yourself as a security analyst, you need to get into mental habits such as keeping in mind what things are proven, what are probable, and what is merely assumption.

  2. Given that Muller and the email writer are both members of the same gang, it is immediately clear that a large part of the emails are definite falsehoods, and much of the rest is highly dubious. This shouldn't be at all surprising as it is well known that professional criminals are liars: generally self-serving liars, and often well-practiced liars. Indeed, if you read the emails whilst playing "spot the lies", it is apparent that Muller isn't even all that good at lying. Most of his lies fit some patterns that are pretty common for criminals communicating with law enforcement; more on that in a moment.

  3. What is more surprising is that here on a security blog some people still seem to be treating so many statements from the email as being credible. I guess this won't make me any friends, but really, I say this to be helpful: if you didn't spot that Muller's email was a load of eyewash, you need to wise up. Technical security is important too, but most security failures come down to simple human dishonesty. To be an effective security practitioner you don't necessarily need to be a human lie detector, but you pretty much do need to be able to spot eyewash this bad. In fact, it'll be a great help in your personal life, too...

  4. @Nicholas weaver: " its really hard to mix lies with truth in such a way that the lies can't be verified but the truth can". Umm, no it is not. In fact it is pretty much Lying 101. When small children first start lying at around 4 years of age, they tell very simple lies that don't understand the ways a listener might try to diagnose their lies. As soon as they become mature enough to start to see things from the listener's point of view, and construct lies that are harder to detect, mixing lies and truth is one of the most basic techniques. The clever thing to do is to tell the truth about everything that is verifiable, and tell lies only about the key points that must be confused. Muller wasn't that smart.

  5. "onions within onions" is a tautology that butchers the metaphor. It is a very small point, but someone put this phrase up as proof that Muller (or his partner) is a clever fellow who couldn't possibly make a blunder. In fact it does the opposite, and shows him as someone who -- while by no means an idiot -- is not nearly as clever as he thinks.

  6. Now to examine a specific lie. (I could do a dozen of these, but this margin is too small...) The email author states that the kidnappers deliberately learned military jargon in order to frighten their victims with their apparent professionalism. Now given that Muller was one of the kidnappers, we know this is a lie; in fact Muller was an ex-marine and already knew his military jargon. On the other hand, it would be trivial for the police to confirm with the victims that military jargon had been used. Hence we must conclude that military jargon was used in front of the victims, and the kidnappers went out of their way to provide a false explanation for this. Why? Obviously, they belatedly realized that they had left a clue about Muller's background, and so they want to muddy the waters.

  7. Seen in this light, it can be seen that a lot of the email consists of what are probably red herrings in a belated attempt to compensate for a blundered crime scene that was replete with clues:

    • Why bother with the irrelevant and dull detail of how the gang first heard of the abandoned naval facilities on Mare Island? Again, because they didn't want the police to consider that they knew about Mare Island from the military.

    • What about the tall tale about wetsuits and hairs collected from neighbors? Neither victim noticed a wetsuit, even when being manhandled, and the evidence turned up at Muller's house makes this seem rather unlikely. But it sows the ground for a handy defense in court if the police did turn up some of their DNA at the victims' residence.

    • Why steal the drugs from the homes of other victims, when the affidavit indicates that the drug in question was merely Nyquil, a common over-the-counter medicine of little street value? Perhaps because they actually bought it at the local druggist, and don't want the police checking there.



  8. Not all of it is simple muddying of clues. He is also laying the grounds for a light sentence by showing his remorse -- something that Muller's subsequent actions show to be pure baloney.

  9. Oh, that's enough. Off to bed.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.