Mailing Tech Support a Bomb

I understand his frustration, but this is extreme:

When police asked Cryptopay what could have motivated Salonen to send the company a pipe bomb ­ or, rather, two pipe bombs, which is what investigators found when they picked apart the explosive package ­ the only thing the company could think of was that it had declined his request for a password change.

In August 2017, Salonen, a customer of Cryptopay, emailed their customer services team to ask for a new password. They refused, given that it was against the company's privacy policy.

A fair point, as it's never a good idea to send a new password in an email. A password-reset link is safer all round, although it's not clear if Cryptopay offered this option to Salonen.

Posted on November 16, 2018 at 2:11 PM • 12 Comments

Comments

Men in BlackNovember 16, 2018 2:40 PM

You appear to have linked to a rather unsavory competitor of Counterpane.

Sophos? Naked Security? Hitman Pro?

No, no, no. Alarm bells are going off somewhere way back in my brain. There is too much "Eros" and "Thanatos" to that Sophos company. And it is too professional. It smells like a dirty couch in an old college frat house.

milkshakeNovember 16, 2018 2:50 PM

the perpetrator was a well-known nutjob with a history of sending threatening packages and letters. But regarding that company -if they cheated him of his money, allowed his account to be compromised or provided lousy service and frustrating custom service, it is unlikely they would admit it - so I guess thy should ask the nutjob,

By the way, after experience with Comcast ("Proudly providing the internet service in Hell" and "That's how we outmaneuver you") I have sympathy for irate customers who wish them something slow and painful.

mausNovember 16, 2018 4:42 PM

"No, no, no. Alarm bells are going off somewhere way back in my brain. There is too much "Eros" and "Thanatos" to that Sophos company. And it is too professional. It smells like a dirty couch in an old college frat house."

Sophos Group has been around since 1985, wherever you're getting your "alarm bells" from, be it Infowars or 4chan, you should probably research before jumping into the first conspiracy that tingles your brain.

mausNovember 16, 2018 4:43 PM

To clarify, you should do your dilligence *not* on chan sites and that brand of fruitless paranoia.

CynthiaNovember 16, 2018 6:09 PM

Odd that the privacy policy would be the main thing standing in the way of such an insecure procedure. Yeah, someone who hacked me that way might see some personal information including how much money I have, but that's not my primary concern about strangers getting into my financial accounts...

Men in BlackNovember 16, 2018 7:05 PM

https://motherboard.vice.com/en_us/article/bjeznz/how-do-you-know-when-youve-been-hacked-gmail-facebook

Another one. Clean at first glance, but there's a little something shady or sleazy going on with these sites.

vice.com? That sounds like a dirty swear word already.

motherboard.vice.com? Sounds like "motherf***er!"

I can't get past the feeling that they're pushing the drugs, porn, and online dating too hard.

It's a double entendre here or there, always a bit short of calling a spade a spade.

DaveNovember 17, 2018 2:04 AM

@maus: "that brand of fruitless paranoia".

I dunno, given the number of fruitcakes on those sites I'd say it's anything but fruitless.

colourNovember 17, 2018 4:55 PM

@milkshake: When I cut the cord with Verizon FIOS & dropped TV (far too expensive useless "Reality TV"), I went in in person to return all the set top boxes. I explained to the clerk that I required a receipt for everything that had been returned. Apologizing for the inconvenience of producing a receipt, I explained that I used to have service through Comcast. That poor clerk laughed so hard. It took a while before he could write up my receipt. (At the time Comcast was know for fraudulently denying equipment had been returned and continuing to bill folks monthly rentals or replacement costs. And that's just the tip of their unholy black pit of despair!)


CryptoPay is reportedly an Online Bitcoin Wallet with a debit-card capability. Oh, and with a .me domain, the Internet country code top-level domain for Montenegro.

Considering the type of services they're offering, the type of clientele they're likely to attract, real money being involved, and how bitcoin has been dropping like a rock over the past year... Hmmm... Yeah....

HotshotNovember 17, 2018 10:56 PM

It is not clear to me why a password reset link is more secure then sending a secure password. Is this because of the distrust for the e-mail provider? If they sent a password in an e-mail and an adversary had access to your e-mail, then they would know the password and the link. If not, then just ensure that you delete the e-mail containing the new password. It makes sense to that it isn’t necessarily effective from the perspective that most people wouldn’t delete the e-mail with a password in it. Is that what you mean?

mausNovember 19, 2018 10:10 AM

@Dave: "I dunno, given the number of fruitcakes on those sites I'd say it's anything but fruitless."

Oof, yes. Some of the worst on the internet resides there, and while whack-a-mole seems fruitless, we'd still be better if they weren't stable and available for their membership to grow so cancerous.

mausNovember 19, 2018 10:12 AM

@Hotshot: "The problem with this is twofold – 1) The passwords are retrievable which means that they are either being stored in the site’s database as plaintext or encrypted with a reversible algorithm 2) Those passwords are sent without encryption so hackers sniffing network traffic could steal them. What make matters worse is that users are likely to reuse the same passwords and usernames on other websites or systems which opens doors for many other attacks."

It's bad practice. Users should not be re-using the same passwords everywhere. If they can't recall them they should generate an entirely new password.

Anonymous6November 21, 2018 11:23 AM

That's just weird - it was sent to the wrong address, where it sat unopened for several months.

Even though dude is clearly nuts, it must have struck him as odd that there weren't police at his door, or even a news posting, about the bomb in all that time. I can't help but wonder if he spent all that time getting even more paranoid and isolated, or if he actually felt like he got away with it somehow?

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.