Horrible Story of Digital Harassment

This is just awful.

Their troll -- or trolls, as the case may be -- have harassed Paul and Amy in nearly every way imaginable. Bomb threats have been made under their names. Police cars and fire trucks have arrived at their house in the middle of the night to respond to fake hostage calls. Their email and social media accounts have been hacked, and used to bring ruin to their social lives. They've lost jobs, friends, and relationships. They've developed chronic anxiety and other psychological problems. More than once, they described their lives as having been "ruined" by their mystery tormenter.

We need to figure out how to identify perpetrators like this without destroying Internet privacy in the process.

EDITED TO ADD: One of the important points is the international nature of many of these cases. Even once the attackers are identified, the existing legal system isn't adequate for shutting them down.

Posted on January 27, 2016 at 6:20 AM • 80 Comments

Comments

ZJanuary 27, 2016 7:12 AM

>We need to figure out how to identify perpetrators like this without destroying Internet privacy in the process.

Find a way to do this, and you basically find the itsec holy grail - the ability to go against the hackers. There are thousands, millions of vulnerabilities of various types that need to be addressed for IT systems to be secure, a ridiculously unfair task when the bad guy only need to find one or a few to success. This asymmetry in the effort and resources evolved between offense and defense is the big reason why we are in the current mess.

But find a way to reliably get to the bad guys, and suddenly the whole equation change. There are way less cybercriminals out there than vulnerabilities to patch and/or mitigate, so going against cybercriminals themselves make much more logistical sense. If you can do that, it doesn't matter as much if your information assets are perfectly protected or not. Suddenly, the defensive side isn't as powerless as it was.

AlejandroJanuary 27, 2016 7:12 AM

I see it more as a cry for attention and anecdotal evidence of a need for vastly expanded mental health services in the USA.

If it weren't for electronics the disease would have expressed itself some other way e.g. trained pigeons.

xJanuary 27, 2016 7:44 AM

>We need to figure out how to identify perpetrators like this without destroying Internet privacy in the process.
Are you serious?

jeffJanuary 27, 2016 7:57 AM

> We need to figure out how to identify perpetrators like this without destroying Internet privacy in the process.

We know how to do this. Someone tracked the kid down with the help of the police. The problem is that the police (1) didn't understand what was going on and (2) didn't want to invest the time to find this kid until they were virtually forced to do so.

This will be less of a problem as the systems being exploited learn not to trust anonymous communications so much. Unfortunately, that might take a while.
jeff

John DoeJanuary 27, 2016 7:58 AM

Personally I don't think the Straters are to blame for the attacks. Rather the problems lie outside of their lives because the system is not mature enough to prevent these types of attacks. Most services will just take your word for it when you give them a call and (by default) won't do any verification whatsoever. Until this is fixed, this kind of social engineering (and trolling) will continue to be feasible.

SiJanuary 27, 2016 8:06 AM

Isn't it already possible to track these perpetrators, the police just don't have desire and tenacity to follow it through.

I'm reminded of this story where most of the police were pissed that they had acted on a false call, but didn't bother pursing the one who called it in. It took a officer huge amounts of time to aggregate crimes of the harasser before the FBI would help him and the Canadian police were similarity reluctant to charge the harasser with a crime.

It's possible to find and prosecute these people already, but the various police agencies don't take swatting seriously enough to do the hard work.

Victor WagnerJanuary 27, 2016 8:09 AM

> If it weren't for electronics the disease would have expressed itself some other way e.g. trained pigeons.

Jack London have written about it in 1910. See "Winged blackmail".

Frank MitchellJanuary 27, 2016 8:11 AM

Yes the U.S. needs a real mental health system. It also need a real health system period, not just the ACA. But the sudden concern for mental health in this context has the same purpose as the sudden concern for mental health after a new case of gun violence, i.e. a distraction from the real issue.

Likewise there won't be a magic bullet for Internet harassment. We'll have to patch one vulnerability at a time, just like everything else. We can prioritize, however, and the first priority is to allow police and rescue services to back-trace calls quickly and reliably. This gets into messy privacy issues, but if somebody contacts law enforcement directly, or indirectly report an imminent threat, they should have the ability and the right to know where the report originally came from. Malicious speech on the Internet (save doxxing) is trivial compared to the threat of a fully armed SWAT team arriving at your door for no reason.

Of course, another urgent issue is proportionate responses from law enforcement, particularly if the suspect is black ...

Vijay DangiJanuary 27, 2016 8:12 AM

In India, a bit different type of harassment is going on since 2012. Surveillance MISUSE is something, which is not just lethal for relations but can provoke innocents to suicide. This case has become even more interesting as now not just major Indian political parties are following it rather must say party to it. Media is also involved directly or indirectly.

Frank MitchellJanuary 27, 2016 8:19 AM

P.S. I just saw the comments about police not wanting to find the perpetrators of SWATting. Which is appalling, and also needs to be fixed. Filing a false police report is a crime, and should be treated as such ... even if the report is a malicious 911 call or "anonymous" tip. (Honest mistakes shouldn't be prosecuted, of course, but a serious investigation would distinguish mistakes from malice.)

xJanuary 27, 2016 8:41 AM

The problem is that western people trust the media (tv, news, socian networks). In Russia we don't trust the media (for obvious reasons). I don't think this can happen in our country, but I maybe wrong.

ZJanuary 27, 2016 8:49 AM

>P.S. I just saw the comments about police not wanting to find the perpetrators of SWATting. Which is appalling, and also needs to be fixed.

It's a question of the police not having the resources and means to find the perpetrators. Of course they care, it's a huge drain of money and time every time they must answer to these kinds of false alerts

John BJanuary 27, 2016 8:51 AM

Internet privacy? At one time I could have gotten behind that idea but watching people spill their guys online I realize the effort is pointless for most.

And for the few that are wise enough there are multiple way to maintain anonymity.

BJanuary 27, 2016 8:55 AM

A couple of well-publicised charges of Attempted Murder By Proxy would cut this SWATting down considerably.

Jean-Victor CôtéJanuary 27, 2016 9:31 AM

This is a case where anonymity is a much bigger problem than encryption. I suspect that it is the case on balance as well. If you can track people and can request passwords when there are clear indications of unlawful behavior, then you do not need to break encryption. Also, encryption is something that gives back to private communication something that is lost when using the Internet: privacy.

ThunderbirdJanuary 27, 2016 10:11 AM

I see it more as a cry for attention and anecdotal evidence of a need for vastly expanded mental health services in the USA.

I skimmed the article, because it seemed like a sadly-standard "lives ruined by sociopathic jerk" story, but I thought it said they'd fingered the perpetrator as a formerly-juvenile hacker from Finland. I'm not sure I'd favor giving the U.S. mental health services the ability to call in drone strikes in Finland--the Finns might quite reasonably object. It seems more to me like evidence of a need for international cooperation in dealing with sociopathic juvenile criminals.

I'm a little surprised the target of the abuse hasn't struck back in a similar way at the supposed abuser (I mean the "hacker" son doing so, not the parents). I wonder if there's more to the story? This would make more sense as an escalating feud than a one-time argument, but crazy people do all kinds of crazy, I guess.

Anyway, it sounds like the identification of the offender is not the issue, rather the lack of any official response to their crimes. Bruce, you usually make the point that crimes are thwarted (or solved) using ordinary means of investigation, rather than requiring some new privacy-smashing innovation, and it seems that that was the case here too. Or were you making the point that even though they think they know who's responsible, it can't be easily proven with existing means?

Sprint is typing...January 27, 2016 10:18 AM

@Frank Mitchell

the first priority is to allow police and rescue services to back-trace calls quickly and reliably

This would be a wonderful thing but here's why that is problematic:

We can allow backtraces in the US but the article shows that the attacker was using a TTY relay. Relays in other countries make this more difficult to trace. We would need to standardize backtraces for all countries with telephone services.

Even then, dedicated attackers can use prepaid cellphones. Tracing a malicious 911 call to a phone to the security cameras on the day that the attacker bought it is probably more work than anyone in law enforcement is willing to do for such cases.

The other option is to deny access to emergency services from prepaid phones and open relays. This has other consequences.

AnonJanuary 27, 2016 10:26 AM

Surely if a crime was committed, then privacy doesn't apply? The Police should be able to request information as required, in order to discover who did this?

I think the privacy argument here just adds smoke to the privacy discussion.

CorodonJanuary 27, 2016 10:27 AM

For each crime Kivimaki was convicted of, he was fined an average of 7 cents. Great justice system you have, Finland... that'll really discourage criminal activity.

JustinJanuary 27, 2016 11:02 AM

The possibilities for (and thus the likelihood of) "digital" harassment will just increase with the increase of all sorts of information gathering (through policies such as that displayed by Microsoft in Windows 10 and the increase of various online connected devices, etc).

An article from New Zealand about their cops using their "National Intelligence Application" to check details about people:

http://www.odt.co.nz/news/national/371055/nosy-cops-search-official-files

WJanuary 27, 2016 11:09 AM

What if, instead of trying to find the InfoSec holy grail, we tried to harden society's security institutions?

Change police practices when they receive word of bomb threats being made in someone's name. Encourage Paul and Amy to use 2-factor authentication. Ect ect...


Seems like this is a non-starter from the InfoSec perspective, but there's no reason we can't try to address the same problem through other means. Resilience matters.

wumpusJanuary 27, 2016 11:10 AM

@Corodon: Have you looked at the data? Are you seriously questioning Finland's ability to keep a low crime rate?

I find it odd and suspicious that cops don't consider SWATing and other false reports dangerous. Obviously it wastes time, money, and potentially cops lives (although so far all the "cops burst in the wrong door without knocking, a shootout occurs" have only killed the [presumably mistaken] victim). Having the cops prefer an armed home invasion to tracking a phone call makes the police state a little too blatant.

"We need to figure out how to identify perpetrators like this without destroying Internet privacy in the process." - Note that on first thought it appears as bad as the "snooping the cloud" post that ignored that all files are stored as hashes for de-duping. But this one is subtly different: it only asks to destroy anonymity (and thus privacy) for actions with significant cost to the public and little to the sender.

The whole question comes down to a requirement for high cost messages to be "signed" (in a real way, not the "digital signing" as the rest of the world knows it). This pretty much requires ignoring unsigned bomb threats and reducing the effectiveness of anonymous tips (the former will be stopped dead by politicians, even though I haven't *ever* heard of bomb threat that had a bomb that the caller wouldn't have signed (such as the IRA), the later will be fought by cops who could quite likely show real data where anonymous tips made a real difference).

Such a system in no way interferes with privacy. It just interferes with allowing the population to be terrorized. Politically, destroying privacy has no costs, but no politician will ever interfere with allowing people to be terrorized.

ZJanuary 27, 2016 11:37 AM

>What if, instead of trying to find the InfoSec holy grail, we tried to harden society's security institutions?

>Change police practices when they receive word of bomb threats being made in someone's name. Encourage Paul and Amy to use 2-factor authentication. Ect ect...

Regarding information security best practices (such as 2-factor authentication), well, we are trying to implement them but after 15-20 years it doesn't seem to be very effective, in great part because you need to have a near-perfect coverage for them to be useful. To take the patching management case because its a common one, you can patch 95% of your infrastructure with 95% of the existing patches available - a lofty goal and a huge logistical commitment - but it doesn't mean anything if the attacker only has to find the one vulnerability you couldn't address to hack you. So yeah, security best practices are still useful and important, but clearly they cannot fix the problem (or we wouldn't be in the current mess).

I said finding hackers was the holy grail because they are way less numerous than vulnerabilities. Hunting vulnerabilities ("enumerating badness") doesn't work, but hunting hackers could actually do. Unfortunately, the hacking attribution issue remains a big one.

As for the police stopping responding to SWAT hoaxes... there are good reasons for the police to always assume such calls are legitimate. Doing otherwise would be an invitation to get sued. CYA. So I kind of understand why they keep going this way. Especially since swatting probably remains a rare phenomenon overall.

Ray DillingerJanuary 27, 2016 12:10 PM

I think stories like this are mainly a showcase of the vulnerabilities we need to fix. And there is no substitute for fixing them. One at a time. And it'll take a long time before we can convince people just how backward backward compatibility really is.

People use social media. It's dumb, but most people do it anyway.

People use stupid passwords. That's dumb too, but we like to be able to remember them.

Accounts in most places are secured *solely* by stupid passwords. Maybe we can do something about that.

Basic phone security involves a challenge and response; the caller gives a call-back number, and the pizza place (or social media admin) has to call it back before anything happens. That way you at least know what phone number the caller had to control at that moment, which goes a long way toward preventing stupid shit from being done anonymously. You could probably skip this step with caller ID. One problem with this is that pizza places (and most of the businesses that act on phone calls) would rather misdeliver the occasional pizza than inconvenience customers one bit (and potentially lose business) by doing the extra step.

Advanced phone security involves dropping the call like a hot rock unless the tower and handset establish MUTUAL authentication. We've gotten as far as making it possible for mutual auth to be done, but nobody wants to take the vital step of dropping the call like a hot rock unless you can prove you aren't using a spoofed tower.

And honestly, we need legal protection for people whose employers panic because some asshole tied racist or sexist crap to their names online. If it's not because of something that person actually did, it's not okay to be taking their livelihood.

Sigh. One vulnerability at a time.....

on and onJanuary 27, 2016 12:16 PM

Can someone with access to the phone line intercept a landline call, pretending to be the called party? And make up a fake customer service name? If this happens, would there be any way for the user to check with the organization, whether someone of that name actually had been doing customer service for the organization at that point in time?

I think that organizations don't know, or don't care, or don't know how to fix, that they have lax security. Bruce, how would you structure a fix to this problem? Is there one?

ErikJanuary 27, 2016 1:11 PM

A major problem is that people rely on Caller ID for authentication, and that Caller ID is trivial to spoof. The problem is that there are legitimate reasons for being flexible with Caller ID, especially when you get into enterprisey phone systems, telecommuting, etc. My thinking is that in a world where a huge percentage of calls are SIP-based and then mapped into the POTS system for routing between systems, it would make sense to send SIP call routing information as part of the ISDN call setup process. Yes, I know that would cause much wailing and gnashing of teeth. But it would be useful to know where calls come from, even if the chain of information is blocked by some dodgy or hacked proxy along the way.

albertJanuary 27, 2016 3:00 PM

Responsibility needs to be assigned. If the hacker is old enough, he should be tried as a adult and face some serious jail time, otherwise the parents need to take the heat. Let the punishment fit the crime.

There are no technical solutions that have a prayer of being implemented and enforced. Folks want it easy, and they want it fast, and damn the torpedoes...

People are such idiots. Therefore, it should be illegal to use any social media data (including public perceptions about such data) in hiring and firing employees, compiling into LE and IC databases, etc., when the data is proven false.

Only an idiot would post hate speech on their social media, and there are plenty of idiots out there who are willing to believe the account is not hacked.

Folks haven't grown up enough yet to realize that they can't believe anything they see online, on TV, in the newspapers, or in books.

Commenters have pointed out some of the technical problems, and solutions.

I believe that someday, the cost of anonymity might be considered too high a price to pay. The LE/IC folks are already on board with the concept of Universal Identification. How long before it is codified?

. .. . .. --- ....

WJanuary 27, 2016 3:16 PM

@Z

>Regarding information security best practices (such as 2-factor authentication), well, we are trying to implement them but after 15-20 years it doesn't seem to be very effective, in great part because you need to have a near-perfect coverage for them to be useful. To take the patching management case because its a common one, you can patch 95% of your infrastructure with 95% of the existing patches available - a lofty goal and a huge logistical commitment - but it doesn't mean anything if the attacker only has to find the one vulnerability you couldn't address to hack you. So yeah, security best practices are still useful and important, but clearly they cannot fix the problem (or we wouldn't be in the current mess).

I meant on a case-by-case basis. After-the-fact, as a response. Having one's account compromised is annoying to the extreme, but not usually the end of the world.

> I said finding hackers was the holy grail because they are way less numerous than vulnerabilities. Hunting vulnerabilities ("enumerating badness") doesn't work, but hunting hackers could actually do. Unfortunately, the hacking attribution issue remains a big one.

If we can get prosecutors and lawmakers to understand proportionality, sure. As of now, I don't trust them to tell the difference between a kid playing a damage-less prank and a nation state trying to take down the power grid.

> As for the police stopping responding to SWAT hoaxes... there are good reasons for the police to always assume such calls are legitimate. Doing otherwise would be an invitation to get sued. CYA. So I kind of understand why they keep going this way. Especially since swatting probably remains a rare phenomenon overall.

I do not mean they should stop responding to them, but to change their processes to acknowledge the possibility of a hoax so they don't initiate attempts to go into homes by throwing a flashbang into an open window.

That Dingo stole my babyJanuary 27, 2016 3:42 PM

Before we fly into yet another government-issue moral panic about anonymous speech, perhaps we should listen to the lessons that the victims drew from their harassment.

Don't use social media.

It's stupid to frame this to make anonymity the threat. Absent out-of-control commercial exploitation of sensitive personal data, this harassment could not have happened. The victims know it. Why don't you listen to them instead of shoe-horning the facts into the FBI cybercrime box?

Awkward AmphibianJanuary 27, 2016 4:15 PM

@ Thunderbird:
I'm a little surprised the target of the abuse hasn't struck back in a similar way at the supposed abuser (I mean the "hacker" son doing so, not the parents). I wonder if there's more to the story? This would make more sense as an escalating feud than a one-time argument, but crazy people do all kinds of crazy, I guess.

Unfortunately some of these people/trolls have a hair-trigger temper that can be set off by a minor thing, such as some innocent comment on something they did. Even saying something like "I can't reproduce your results" in response to a tutorial they wrote can make them go on a trolling rampage that includes threats of violence, posting crap in your name, hacking websites in your name, you name it. Basically these people are mentally ill and have no issues destroying anyone who dares to do anything they don't like.

When you dig into their online history it usually is quite obvious something is very wrong with them, because they tend to have a history of conflicts that spans years (decades), including serious threats of violence or even death, often seem to lack a good job (basically, they're shut-ins), and have very limited social interaction outside of the internet due to being an awful person. There's also a tendency towards feeling superior over other people and some serious Dunning-Kruger effect going on (and pointing that out often sets them off).

Unfortunately some of these suckers are actually capable of holding a job. Encountering these on the work floor is a serious hazard to your mental health...

WJanuary 27, 2016 4:20 PM

@Awkward Amphibian

I strongly resent the notion that a shut-in is a shut-in because they're awful people. I grew up as a shut-in in front of a computer and I presently donate my time and money to charity on a regular basis and do what I can to help others.

I was a shut-in to escape a lot of life's ills. It disgusts me to see others blaming a common coping mechanism as the source of ills - it further stigmatizes already socially awkward persons.

Clive RobinsonJanuary 27, 2016 4:21 PM

@ Bruce,

"We need to figure out how to identify perpetrators like this without destroying Internet privacy in the process."

For various technical reasons it can not be done. In that respect it's like crypto and backdoors, people will always find away around any technical measures you might put in place...

So stick with maximising privacy.

The solution to the problem is to stop having "public PII databases".

Various Governments have decided to sell PII of their citizens. For instant in the case of the UK the "electoral roll" is widely available, but if you decide privacy / personal safety / fraud prevention / etc is more important than your more or less meaningless right to vote, and you decide not to be on the "electoral roll" you can be fined by the UK Gov 1000GBP. Likewise the "land registry"...

The fact the Gov wants to make a little cash on the side of putting peoples lives at risk is something we don't talk about and should.

Many many people have been hurt by these "public PII databases" and it's about time we stopped making them available.

As long as they are easily available and via anonymous means then these sort of attacks are ridiculously easy for a troll to use.

If it were not so easy there would be less trolling, because it would raise the "pain threshold" for the troll and make them more visable.

After all there is the old political saw about giving politico's the ability to both raise revenue and make legislation "is like giving a teenager a quart of whiskey and the keys to the car, you know what's going to happen".

Likewise giving trolls privacy and easy access to PII "is like giving a teenager...". You can with hold one or both and the roadcrash behaviour is very much less likely to happen. So rather than maim privacy to everyone's detriment, it would be better to remove the easy access to PII. And I think on balance it would have quite a lot further benefit to society.

EvilKiruJanuary 27, 2016 4:45 PM

@Dingo: Just because the lesson these victims learned is "don't use social media", it doesn't mean that's the CORRECT lesson to learn, because that lesson is essentially the same as "don't get targeted." Something that's entirely outside of your control.

Awkward AmphibianJanuary 27, 2016 5:02 PM

Just as a follow-up to myself and some other comments made here:

Social media exacerbate this devastating trolling problem, but it's a problem that existed before social media. In the old times people would just create fake forum accounts or crack a website in your name, but often could not track you very far without spending quite a bit of time investigating you. However, the "real name" policy of certain websites (*cough* FaceBook *cough*) makes it much easier to find people off-line and attack them there, where they might believe they are safe from online trolls, than it was before social media existed. The increase in search engine performance (and the proliferation of specific search engines outside regular web search) has also made it easier to track people online, plus of course the stupid "everything needs to be connected"-philosophy and the better availability of various hacking tools and malware. Dial-up and the early internet did have its advantages...

Things that help avoiding this really are quite similar to avoiding getting mugged in real life:
- Don't post your personal information everywhere for anyone to see.
- Don't brag about your money or other valuables for everyone to hear.
- Don't hang around in bad neighbourhoods or back alleys.
- If you want to join a community, choose one with good leadership/moderation. A community where trolls are nuked the moment they show up will be better for your health than the equivalent of a seedy bar where people routinely beat each other up with broken bottles (e.g. 4chan).
- If you must hang around in the bad neighbourhoods, do anything you can to prevent bad things from happening (yes, that includes the electronic equivalent of the baseball bat with nails, provided you can fight with it).
- When you encounter a troll, appeal to the authorities (not necessarily legal ones, can also be administrators) and react as little as possible. They'll either get taken care of by the powers that be or lose interest. In general, potential trolls/a-holes are fairly easy to recognise due to their aggressive reactions and arrogant stance, so just avoid talking to them.

Really, anything you would tell a kid growing up. Of course, this assumes people understand that the internet is not an extension of their living and/or bedroom, something I have doubts about.

That Dingo stole my babyJanuary 27, 2016 5:03 PM

@evilkuru, actually, that lesson is not "don't get targeted" It's "don't be the soft target." Every social media platform is a terrarium. You bask on the rock and munch your lettuce while governments, marketeers, and a host of others have their noses pressed against the glass. It's profoundly dumb to submit yourself to that exploitation, as this incident shows.

If you targeted someone who knows that - me, frinstance - harassment would be more of a sporting proposition.

Awkward AmphibianJanuary 27, 2016 5:59 PM

@W:

It was not my objective to suggest that all shut-ins are sociopaths (or that all trolls are shut-ins, for that matter). It's just that in my experience many people who troll tend to have serious issues with social interaction, and I'm saying that as someone with Asperger's and a fairly reduced social circle (but then I don't get into rows with everyone who says something negative about what I do, like trolls often do). I'm also not blaming being a shut-in as the source of being a troll, it merely is an observation that it seems to be a symptom that applies to a lot of trolls. Instead, the underlying condition is to blame.

If you read my message, it should be clear to you that I describe a set of symptoms that applies to trolls. Obviously, this set of symptoms does not apply to all shut-ins (unless you wish to suggest that all shut-ins make threats of violence and/or have non-stop conflicts :P) or all trolls (there's also those that I would qualify as "boisterous gits", that you may also encounter on a street corner being loud and intoxicated - don't take that too literally please :) ).

If you actually read the psychiatric descriptions for a variety of personality problems, you will find that some of them describe behaviour or symptoms that are typically of trolls, such as intentionally hurting people or manipulative behaviour (which I do hope you will agree with me that it is not standard for all humans!). You will also see that such behaviour usually leads to (severe) social issues. Again, not suggesting that everyone with those disorders is a troll or can become one, merely pointing out a correlation.

I had the chance of encountering a real-life troll (an otherwise extremely unpleasant experience that I can't recommend to anyone) who seemed to derive pleasure from deliberately manipulating people, spreading incomplete information to cause conflicts, and basically being the single worst work-related experience I've ever encountered (and according to people I consulted about the whole thing it was quite extreme). But what was the most amazing thing about them was the completely bizarroworld way they described their social interaction with others, which amongst others had them describe what clearly were mere acquaintances as "friends", how everyone disliked them (when the other person had merely suggested a different way of working) and therefore were not trustworthy (very strange logic), and consistently accusing others of doing what they did wrong themselves. Rather amazing really. Also, they completely lacked any form of self-reflection and consistently refused to even discuss things that went wrong, besides changing their opinion of anything 180 degrees every other day and faking emotions to get results (WTF?).
The person who replaced me after I got really fed up with the behaviour of the troll (sequels for me: depression) ended up in my office crying her heart out a year later because they were driven completely emotionally unstable by the constant abuse. I had mental health professionals tell me the described behaviour sounded a lot like Borderline Personality Disorder...but it is also typically trollish.

It's likely that my experiences colour my view of the subject (but whose don't?), but I also find the human (behavioural) aspect of infosec much more interesting than the technical aspects (I really don't have enough knowledge of that to be able to say much useful stuff). Make of that what you want.

Awkward AmphibianJanuary 27, 2016 6:13 PM

@ Sancho P:

Skimming the article, what I find interesting is how the parents seem to receive most of the abuse, but the son, who lives elsewhere, seems to be less targeted, despite being the original target. That suggests it is someone living near the parents (who is intermittently busy, explaining the quiet moments), but not near the son. Time for law enforcement to check which residents were out of a job during the periods of abuse?

That, or someone needs to have a good look at the parents' telecommunication stuff (replace everything?), because it must be leaking information like a firehose.

WJanuary 27, 2016 6:20 PM

@Awkward Amphibian

I've also met Internet trolls in real life. Fun people. Likeable once you understand them.

Trolling isn't defacto bad. Nor is it new to the world - prior to the Internet, they were called pranksters or comedians. Some take pranks too far. Some have a very perverse sense of humor. But it largely makes up the Internet troll demographic.

Sad to say, but the worst manipulators I've seen on the Internet aren't trolls - they're extremists that constantly redefine common words in the English language to publicly shame and blackmail people with accusations largely divorced from reality. Some do SWAT. More try to get you fired from your career for saying something online that sufficiently bothers them. They often practice financial censorship against online mediums they dislike.

TorJanuary 27, 2016 6:55 PM

I think everyone should use Tor, and stop using Fackbook, and also wear a mask when upload stup1d1ty selfie.

rJanuary 27, 2016 7:42 PM

2 things,

#1 find the motive and you find the person[s]. (Not always that easy)

And...
#2, we can solve the person[s] outside our jurisdiction with drones.


P.s. I've been victimized by this form of terrorism personally: and I distinctly believe that this type and level of harassment can really pass into an area of emotional and psychological terrorism.

John HardinJanuary 27, 2016 7:46 PM

@Z:

As for the police stopping responding to SWAT hoaxes... there are good reasons for the police to always assume such calls are legitimate. Doing otherwise would be an invitation to get sued.

Probably not true. The USSC has held several times that police departments are not liable for failing to respond to any particular plea for help. Their job is to investigate crimes and arrest offenders.

See for example
https://en.wikipedia.org/wiki/Warren_v._District_of_Columbia
and
http://www.nytimes.com/2005/06/28/politics/justices-rule-police-do-not-have-a-constitutional-duty-to-protect-someone.html

Now avoiding bad press, perhaps so.

rJanuary 27, 2016 7:58 PM

Yanno, thinking about the mental health aspects of this... to anyone thinking about trolls as a disease its not a joke - the symptoms above listed would be more accurately viewed as sociopathic or psychopathic, I'm no shrink but to me BPD is a catch all for something little understood like how ASD is being reworked these days... (I have mental issues within several off my close family and friends)

But I think, importantly we need to think about the fact that I think upwards of 80% of our society are borderline psychopaths... and our culture further breeds non-genetic variants to add to the mix... when the internet started, it was the nerds like the punk scene... and now? The other 80% has discovered the safety and comfort of virtual anonymity: the 'jocks' (laugh).

:)

rJanuary 27, 2016 8:01 PM

I definitely believe this phenomenon has it's roots in the rising masculinity and ubiquity of the internet.

On and onJanuary 27, 2016 10:56 PM

Anyone else finding yourself appallingly open to the power of minor suggestion, of late? It's really interesting.
As are some comments.

Snarki, child of LokiJanuary 28, 2016 6:41 AM

" If it weren't for electronics the disease would have expressed itself some other way e.g. trained pigeons."

RFC1149 "IP over Avian Carrier" baby!

Just watch out for viruses. There's a known problem with avian flu, you know.

Sprint is typing...January 28, 2016 10:25 AM

@Will

This is more or less my point.

We can harden caller ID[*], and we can harden payment methods, but as long as there are places that accept various services (food service, emergency service, terror service) without some sort of authentication, this is pointless, because there will always be ways around it. My desired way of cutting down on this issue is to set up separate policies for hardened authentication and unauthenticated requests for service. And then (and this is the really, REALLY hard problem), we need everyone in the world to use these methods. Disallowing torts for businesses that fail to abide by this would seem to be an easy short circuit.


[*] Hardening Caller ID is actually a really hard problem. In an era where phone systems are increasingly packet-switched and send both control signals and data signals over the same channel, this will require

(1) creating new equipment protocols that support different types of Caller-ID verification
(2) If we decide that enterprise/PBX systems should have customizable Caller-ID listings, we should probably set up some sort of certificate for a list of locations that a PBX is authorized to use
(3) What happens when a name or named location must be tied to a phone number? There are technical, legal, and societal reasons why this can be difficult.

Green SquirrelJanuary 28, 2016 10:53 AM

I am with Jeff et al here.

While it is monumentally traumatic for the victims, this is a problem largely of our own making and doesn't need an infosec solution.

Too many people / systems trust anonymous reporting sources because of the "better safe than sorry" ethos. Until this is fixed, trolling will always be easy enough for people to do.

We also suffer from institutional over-reactions (again because better safe than sorry). This means it is trivial for kids to Swat people with potentially fatal consequences.

But even if we do demand an infosec solution, it is already here. Try doing this behaviour with a Government agency as the target and see how quickly they can work out who you are. They just dont care enough here.

rJanuary 28, 2016 10:54 AM

@no,

I'm serious, so put up or shut up. You say I'm trolling? Let's hope you don't have kids, this kind've stuff is done by non-hackers (bullies) ALL THE TIME. It's just the wannabes that take it to this extreme... In all likelihood if that kid didn't have a computer he would've been an irl stalker... It's likely related to mental health issues that are and individual **cough** maturity **cough**...

Like I said, you think that kid is an idiot? Wait until someone does this to a senator watch the drones fly.

It's emotional terrorism, and if anyone in the world needs time in gitmo it's people like that.

I'm not kidding, I'm not trolling, you may think that I am but maybe it's because the shoes don't fit.

Just passin' thruJanuary 28, 2016 11:06 AM

Hi Bruce

I was just wondering, when a police dept. gets a high nbr of fake hostage calls from a particular location, if this info is fed back into the (new) system that provides red, yellow, and green ratings to police on their subsequent calls.

Suppose the police provided this feedback to the red yellow green rating company... if they had any way of tagging the incident, it probably would be described tagged as a prank. But there almost surely is no way that the incident will be marked as a "prank by others" and that the location and victims would be tagged as such.

I'd think the victims would be falsely tagged as red.

rJanuary 28, 2016 12:10 PM

@just passing,

Being held up at gun point is not a prank, how many people in the u.s. prison system have already tried that angle and lost?

I'm sure someone will argue corpus delicti as nobody was shot by the raid but if airsoft rifles bring down the books so should this unquestionably.


People who swat and or digitally harass others are terrorists.


@all,

Here's another one begging for gitmo or oz: http://www.latimes.com/local/lanow/la-me-ln-youtube-star-sexual-exploitation-20151217-story.html

A non-mouseJanuary 28, 2016 12:36 PM


There are black hats out there who hate my guts. Part of what I do is to rain on their little parades, and sometimes I recover evidence at client sites that empowers their targets to have them prosecuted.

And I very carefully manage things so that they have no idea who I am. More than that, so that they have no idea I exist. All they know is that their cracks suddenly get hardened, they get locked out, and if I have a total win, then maybe somebody they know goes to jail.

I'm either on site using the client's machinery, or offsite using a VPN via Tor. Either way, I log in with a pre-existing account on the client's systems. There are usually just two people at a client site who even know my name and my contract says they don't speak it out loud nor type it into a computer. I accept payment in travelers' checks, on invoices identified by number rather than name and clients keep records identifying me with the invoice numbers paid strictly on paper. Unless I screw up or the client screws up, nobody but me, the client, and at the end of the year, the IRS, knows the client's payment was made to me. And if the client screws up, they owe me extra money. If the IRS screws up, I'll be angry but there's not much I can do.

When I have to penetrate forums, etc, to get things done, I connect through Tor and hide behind something profoundly uninteresting like a channel bot.

Yes, god damnit, I am a raging hair triggered paranoid about the scum finding out about me.

And people who do things like this are the reason why.

DanielJanuary 28, 2016 1:13 PM

I only skimmed the comments but I want to take issue with Bruce's thesis that this is a problem which must have a solution.

There are causalities on the winning side. The idea that we should have zero tolerance for abuses like this case is like all zero tolerances, abusive. Even if one believes that an important function of society is to make human existence less cruel for its members by security mechanisms, less cruel and no cruel are not the same terms. There is a point in time where the obsession with reducing cruelty becomes a cruelty itself.

Lots of people are complaining about lazy police. Yet maybe there is more wisdom in such laziness than we want t give credit for. When one's life sucks no one wants to hear the unsympathetic "it sucks to be you" but sometimes that the best answer.

or this...

we find that, depending on the level of reciprocity and assortment, selection favors one of two strategies: intuitive defectors who never deliberate,

jamezJanuary 28, 2016 4:36 PM

@Anon
Surely if a crime was committed, then privacy doesn't apply? The Police should be able to request information as required, in order to discover who did this?
whoa there! we might (mostly) trust the government at the moment, but what happens when they make it illegal to do things they don't like? dictators find free speech criminal. i'm coming from an admittedly american perspective here, but the u.s. government was crafted to prevent it from becoming overbearing and unaccountable. oh, how far we've fallen...
freedom requires privacy.

Sancho_PJanuary 28, 2016 5:10 PM


@Awkward Amphibian

”That suggests it is someone living near the parents (who is intermittently busy, explaining the quiet moments),
but not near the son.”
(emphasis added)

- Um, ¿ - ?

Sancho_PJanuary 28, 2016 5:24 PM


@Bruce

”We need to figure out how to identify perpetrators like this without destroying Internet privacy in the process.”

I think the solution is out there, the TLA’s already have it: Metadata, not content.
“Just” connect the dots (see below “cooperate”).

For the international nature and the legal system(s), these are two different points.

The first isn’t solely international.
Organizations, departments, agencies, governments will not cooperate on their own, on the contrary. It needs strong leadership, trust and time.
Our society is mostly driven by pride, envy, greed, secrecy, segregation, opportunism.

The legal system necessarily is behind technology. It needs quite a few dead bodies to adapt (this is likely an advantage).
The real problem is the increasing percentage of mad people, obviously produced by our society.
We can’t lock them away forever, and their mind, by and large, won’t change over time.

NoJanuary 28, 2016 5:26 PM

@r

I have had close friends of mine attacked by people who claimed there was a culture of "toxic masculinity" on the Internet. Obsessed with the notion of a culture of "toxic masculinity". To the point where they got my friend fired from her job after she vocally disagreed with their bully tactics.

She was homeless for *months* because of the actions of these "anti-toxic-masculinity" activists. Me assuming you were trolling was me assuming (relatively) good faith on your part. Because the alternative is one where I'd consider you a sociopath, stupid, and/or an extremist.

Sprint is typing...January 28, 2016 6:08 PM

@Daniel

One of the factors that contributes to this effect is zero tolerance for failing to follow up on threats.

The advice "Sucks to be you" doesn't really scale. SWATting is rare today but it's known to be effective, cheap, low-skill (for some of the easier attacks), and largely risk-free. We're going to see a lot of these attacks in the next few decades unless we neutralize the attacks (at least the low skill ones).

Because they're not time-intensive, a group of attackers can probably terrorize a group of victims many times its size. And because the attack takes many man-hours to investigate, a tiny action can have an enormous cost.

Finally, we *do* have ways to combat this type of attack. An intelligence community operating 24/7 to collect all phone records of every phone system in the world could do it. Giving local police the authority to make routine requests of this database would be an easy (and nightmarish) solution.

The problem is that this type of power would be leveraged against more than just people looking for lulz, and we have seen that. This power would be leveraged against every political dissident and give every mayor the power to be a little Nixon.

So it behooves us to come up with a realistic solution before everyone knows someone who's been swatted and the powers that be decide for us how to handle it.

Eire Old BoyJanuary 29, 2016 6:31 AM

Wasn't there a minor (as in underage person) in Western Canada who was carrying out attacks of this type?

DanielJanuary 29, 2016 12:52 PM

@Sprint is typing...

"We're going to see a lot of these attacks in the next few decades unless we neutralize the attacks..."

I'm dubious. Very dubious. The criminal element is a rather small part of society as a whole and the criminal element who engages in this types of harassment campaign is tiny. Any solution is going to impact everyone in order to spare a very few people, who frankly, as others have pointed out, have other means to solve their problems.

It is simply bad policy to take bazooka gun to kill flys.

RadioStarJanuary 29, 2016 6:19 PM

@Z

Find a way to do this, and you basically find the itsec holy grail - the ability to go against the hackers. There are thousands, millions of vulnerabilities of various types that need to be addressed for IT systems to be secure, a ridiculously unfair task when the bad guy only need to find one or a few to success. This asymmetry in the effort and resources evolved between offense and defense is the big reason why we are in the current mess.
But find a way to reliably get to the bad guys, and suddenly the whole equation change. There are way less cybercriminals out there than vulnerabilities to patch and/or mitigate, so going against cybercriminals themselves make much more logistical sense. If you can do that, it doesn't matter as much if your information assets are perfectly protected or not. Suddenly, the defensive side isn't as powerless as it was.

Which would be a good argument for keeping everything insecure. For having super massive "dragnet" surveillance systems, and for discarding encryption, and the other things some are trying to do.

I am sure you would make this point, if this was what you believed.

But, I have to say here, from a security angle: no, there are not problems quantifying and de-masking people.

For the ordinary person there is. Obviously. And there are many such stories. But, for the authorities tasked with catching them, there is not that same problem. There can be difficulties with extremely professional, clever criminals. But, extremely professional, clever criminals are VERY FAR from the norm.

Pretty much like the myth of the super genius serial killer never caught because of how professional they are.

There are certainly many professional, criminal hackers. And then there are the state based ones, many of the most dangerous of whom are effectively operating as moles within their own government and do not even work behind the keyboard -- but manage things.

Then there are amateurs. There is a distinct and strong difference.

Most of the amateurs are script kiddies. Most socialize strongly in a pool which is heavily watched. They are signing up to be watched all the time and engaging in crimes in the open which they believe are secret.

Much of what motivates them tends to be social, so they are big mouths who broadcast their efforts to their peers, to preen before them, and when doing so, to the authorities. Who usually ignore them until they look like they will do something really bad. Or if they can.

The very rare sort who goes far out of their way, to harass, are highly unstable and easily brought into the light by the very same aberrant motives that compel them in their crimes.

Countless ways to unmask them, if and when they are not already working in social pools soaked with righteous governmental surveillance.

Even when they are "truly" anonymous, they are easy to manipulate out of the shadows.

Sprint is typing...January 29, 2016 8:51 PM

@Daniel

The criminal element is small, but it is (a) global and (b) able to affect a population many times its size. The swatter mentioned in the NYTimes before ( schneier.com/blog/archives/2015/12/good_swatting_s.html ) was able to attack 22 victims over the span of 1 year, and executed what is described as over 100 attacks, approximately one every three days. This is clearly a few standard deviations from the norm but a handful of people is capable of terrorizing thousands or tens of thousands. Because of the low technical complexity of the attack, we may even see organized crime make an entrance in future years, similar to how they got into the malware business.

I think these are all reasons that we should look at solutions.

Here are some proposed solutions. Tell me, which of these solutions is the bazooka?

1.) Cash-on-delivery food or other services must verify that the person at the location is the person placing the order before delivering.
1a) For example, the order must be placed through a mobile app or login at the store's website, and the first order must be prepaid.
1b) Or perhaps the order must be made with a phone number that has been associated with the address in the past, and a call must be received at that number before billing.
1c) Companies cannot use the courts to compel payment for cash-on-delivery services unless they have made competent attempts to verify the identity of the orderer first. Caveat venditor.

2.) Emergency services cannot have a zero-tolerance policy for not responding to suspicious calls.
2a) Terroristic threats coming from a blocked caller-id will be investigated as possible hoaxes.
2b) Terroristic threats coming from caller-id that doesn't match the description of the threat (e.g. "I'm calling from ISIS headquarters in Syria" and the Caller-ID shows Romania) will be treated as probable hoaxes.
2c) Terroristic threats without specific details or specific attribution will be investigated as very probable hoaxes.

rJanuary 29, 2016 11:19 PM

Anyways, in LA kids get 15 years for drive-bys with paint ball guns. Break the Orange tip off your airsoft? 2 years for possession. Used it in a crime? 15. Let me send an armed gunman into your home, yelling, screaming... maybe your dog gets shot in the process... Maybe like in Detroit they accidentally shoot your 6 year old through the wall during the approach.

Bazooka's to swat flies? Any noise going after this behavior is better than just letting it slide... but w/e with drones and iot this type of behavior is going to get much worse... but drag your feet, someone has to die for people to do the right thing these days like with these anti bullying campaigns... It's just sad.

Fake robbery, real guns... and nobody gives a damn.

Btw, the gitmo reference for those of you who don't realize that we are already painting foreigners with drones for hellfire strikes is a reference to something else we already do. Did you know you can't beat your children, but you can send them to boot camps in the Dominican republic where they do it for you?

...maybe that wasn't on the flyer.

RadioStarJanuary 29, 2016 11:40 PM

@r

Btw, the gitmo reference for those of you who don't realize that we are already painting foreigners with drones for hellfire strikes is a reference to something else we already do. Did you know you can't beat your children, but you can send them to boot camps in the Dominican republic where they do it for you?

We. You mean "you"....


??

Reality, sadly, is... Islam is a religion of hate. So, drone strikes. Fuck. WWIII. Sucks, but fact of life. Drop Islam, and better world.

Not like it has any kind of wisdom or anything to offer, anyway.


The goal is global domination of western, hedonistic ways. Hedonistic in quotes. But, fuck.

va pupJanuary 30, 2016 10:41 AM

@Sprint is typing... • January 28, 2016 10:25 AM.
Caller ID spoofing is currently illegal by Federal Law, but neither FCC nor FTC take real action to protect privacy of US residents and really punish those who violate this Law.
Landline caller id service is piece of Sh...t now.
It could not even provide you message when call is domestic or international; all those information lines like 'state name, call' are not working as well. It should provide name of phone provider (company) when name of the customer is not available.
All legitimate telemarketers, solicitors, etc. should register their phone # with FTC and be available for reverse lookup on FTC page for free to file complain report.
State Attorney Generals don't do anything substantial as well.
Make you own conclusions.

rJanuary 30, 2016 11:50 AM

@RadioStar, while i understand that the existing use of these technologies is fairly biased what i am advocating is a more unilateral use. if they're being applied to existing hackers and terrorists up the ante, we're already in rome.

no, i do not beat my children. a couple of my friends growing up were sent to one of those bootcamps by their father, i guess it could all be a fabrication and a vulnerability in my ears but i tend to believe them.

why else would there be offshore bootcamps of u.s. children?

FOR INSTANCE:

"setting we provide has many things that domestic programs and other traditional teen boot camps cannot."

like i said, it never quite makes the flyer. :)
i am not the monster here, i am merely pointing out that we have existing options in use (that some people deny or refute) that could be expanded to include incidents such as this.

if you have a problem with it: please, by all means write your congressman.

KlaatuJanuary 30, 2016 2:14 PM

Eric Schmidt of Google/ Alphebet recently addressed a bigger problem: "In Russia, farms of online trolls systematically harass democratic voices and spread false information on the Internet and on social media."

He understates the problem because he plays host Russian troll farms on You Tube.

Trolling on YT involves the usual nonsense and also many 1000's of pretend anti-mind control channels along with accompanying fake supporting comments that, like the videos, try to sound as nuts as possible. These are supposed to be delusional, paranoid videos designed for other paranoids. Likely only a stupid few fall into that category. And the above can be said to be a meta conspiracy theory and blah blah bla.

Volume and repetition directed at the US and the West conjures a private Psy-Ops universe directed at the young and impressionable, manufacturing doubt turning objective facts and reality on its head. (Sound familiar? Like the US extreme made mainstream right wing?The Oregon Alamo and Jade Helm)

If you want to hide something real and nasty the spread of misinformation is one way to do it. Like hiding the fact that your political system is an actual police state.

NikoJanuary 30, 2016 3:04 PM

I'm surprised how almost all the comments have ignored the legal end of the problem: Finland won't prosecute juvenile computer crimes and won't extradite their juvenile hackers to the US.

rJanuary 30, 2016 3:19 PM

@niko,

I'm aware of that, hense the drones/rendition.

The least they could do is take away his phone privileges...

Sprint is typing...January 30, 2016 6:24 PM

@va pup

I am well aware that caller id is a sham (I mentioned the fact in a prior comment). I--ahem--didn't include it in the message because it's sort of a bazooka tactic and was looking for common ground with @Daniel (and this is the only point that I omitted for that reason).

Honestly, the only way to stop some of these swatting attacks is to harden caller id where we can. If the user uses a relay, or masks the caller id that's fine but at least we can see it labeled as such and can give it the appropriate attention.

Fixing caller id would be incredibly difficult and would take years, but we may get the opportunity to do that in the US as phone companies begin converting customers from POTS to SIP. I'm not aware of any telecommunications company that believes that POTS is the future, and they're all invested in making changes anyway.

RonKJanuary 31, 2016 4:58 AM

> Drop Islam, and better world. ... Not like it has any kind of wisdom or anything to offer, anyway.

Why do I get the impression that people who spout such stuff approximately know as much about Islam as I know about Hinduism, which I learned about in 7th grade Social Studies class many, many years ago?

Now when I merely skim the articles in Wikipedia on the myriad variations of Hinduism which exist, I realize just how simplistic my understanding of it is.

Do not take this to mean that I believe that the vast majority of practitioners of both religions practice or understand them in a way which is at all interesting...

crtxcFebruary 1, 2016 11:14 AM

re: the previous comment about dropping islam, monocultures are dangerous the rights of all practictioners of all religions must be protected, including the right not to be religious. It is a basic human right like privacy, safety, security, etc.

For the last two years I have experience harassment and the perpetrators of these crimes are Christian bible college students in Sydney Australia.

The computer crimes have escalated to the point where I cannot use my computer without it being owned by the "christian" bible college student/computer scientist.

The scary thing is that I removed my wireless cards and bluetooth cards, I completely air-gapped my machines and even so the criminal "christian" rads and copies files and images, goes under the intrusion detection system, goes under the firewall, gathers passwords and other computer use data, accesses, reads and writes to /tmp.

I call the attack InSeNRA (Insidious Serial Nether Remote Assault) This "neighbour" bible college student/ computer scientist and his friends have attacked and owed Intel, AMD, and powerpc. They even used it to make all my usb drives read-only by changing the NTFS file system option to read- only.

I also think the have DMA(Direct Memory Access). There is no evidence left except for the mess or tracks they choose to leave - little "I was here" tags, and they like to gloat with "what proof do yo have".

Scary also, is these people are members one of the richest churches in Sydney, the Anglican Church, and with it,s money comes power and political influence.

Now, these "bible college" Students, have lied, cheated, destroyed our computers, mocked us, slandered us, made attempts to defame our character, manipulated social situations to their advantage, on and on and then on top of it all I discover this horrible InSeNRA, of which I don't think there is a defence.

I classify this as terrorism or digital terrorism and it is being done by highly educated people calling themselves Christians.

We have to get passed this primitive religious bickering. We can't learn in fear unless it's fear we want to learn.

rFebruary 1, 2016 9:04 PM

@crtxc,

My sincere apologies && How are you transferring data to your pc? If you're using sdcards or thumb drives and being honest I would suggest switching to cd/dvd's only.

crtxcFebruary 2, 2016 11:38 AM

@ r: Thank you for your response. Your post raised some questions in my mind. First, why are you making an apology? Are you one of the Christian bible students that have relentlessly attacked our computers and network for the last two years? You needn't apologise for another's wickedness.

You asked if I was being honest. Yes I assure you I am, and I wonder if your query of my honesty was a subversive attempt to influence other readers to question my credibility and validity; living in close proximity with these "Christians" I have watched and learned that they are very skilled at manipulating with that very same tactic; just an interesting thought, please don't be offended.

I thought, perhaps my mentioning crimes committed by "Christians" made you nervous because you yourself are a "Christian". That was not intended, however it is interesting; in today's societies usually Muslims are manipulated into a defensive position; refer to the derogatory comment about Muslims made above, if you wish.

As I stated in my previous comment, these highly skilled attacks where directed against all our computers, relentlessly and the attack techniques progressed to my discovering what I call InSeNRA (Insidious Serial Nether Remote Assault). InSeNRA was executed successfully even when our computers were completely air-gapped, that is I removed the wireless and Bluetooth cards from the machines and still the attackers where connecting. Also as I stated preciously they accomplished this attack on a PowerPC machine, which is ancient, doesn't have a powerful GPU to exploit, doesn't utilize Intel's ME (management engine), and doesn't use Intel's iAMT (intels Advanced Management Technology).

I am guessing that your suggestion not to use usb and sd cards is to avoid usb poisoning or evil usb attacks. I thought about this, but using only cd and dvd's was impractical for this reason, regardless of the media I was using, the "christian" attackers where unrelenting in there constant monitoring, establish persistence, collection exfiltration and exploitation; you have to realize that they were attaching _under_ the operating system; this is something I have never heard of this before.

This attack is new; as an aside I think they will be targeting other victims in the wild after they work out all the kinks.

Presently the attacks are undetectable. Firewalls don't work, intrusion detection systems like snort do not work. All that can be seen is mess they leave.

The closest thing that might be comparable to InSeNRA (which I have heard of) is the iAMT exploit as studied by Patrick Stewin, however this is worse. It doesn't appear need malware, and it can be used on non Intel machines like my PowerPC.

As you can see the implications of this technology are horrible. The attacker has absolute knowledge of everything I am doing on the computer: Journal, ideas, inventions, intellectual property -- nothing is private, and they can steal anything they want without leaving any evidence they were there. Journalism? Insider trading? Theft of intellectual property? This is an absolute breach of trust, and the only thing anyone I interested in is covering it up.

I can't safely or privately, uses a computer, these Sydney (Sydney, Australia) "Christian" students have made certain of that, so at this point, what media I am using to move data to and from a computer that is actively targeted and owned by a hostile attacker is not a primary concern.

If you were sincere in your suggestion, thank you for sharing; this is a tough problem to solve; I hope a defence against this attack can be found.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.