Join 3,553 readers in helping fund MetaFilter (Hide)


There's some sort of karmic justice here.
February 21, 2006 9:44 AM   Subscribe

"To tell the truth ... I'm sorta surprised they haven't caught me yet," The Washington Post ran an interesting interview with a botmaster, a young man who made serveral thousands of dollars a month installing XXX spyware on machines that he controlled. He installed the software on the machines of people he did not know by hacking into them remotely. The lenghty article included a partial photo of the botmaster along with vauge descriptions of the small midwestern town where the man lives, and was published with the understanding that the man's identity would be kept secret. Someone should have told that to the person that manages photos at the Washington Post. An estute reader over at Slashdot was able to locate some extra information stored in the picture's metadata including the photographer and the location the picture was taken, Roland, Oklahoma, a town of less than 3000 people. Whoops.
posted by daHIFI (56 comments total)

 
I'm just wondering if anyone want's to place bets on how long before this guy gets A: arrested, B: sued, or C: both?

And I apologize if this is a double but it didn't come up on search and I don't remember seeing it on the front page recently.
posted by daHIFI at 9:46 AM on February 21, 2006


That was pretty ballsy (and dumb) to grant an interview to the WP - bragging doesnt pay.
posted by stbalbach at 9:51 AM on February 21, 2006


And he would have gotten away with it if only for the exif data. Sued, arrested, impounded, repo'ed and probably beaten. Whoops, indeed.
posted by fenriq at 9:54 AM on February 21, 2006


Interestingly, in the two other forums I've seen this IPIC data leak show up (Digg, and somewhere I forget) the posts have all been sympathetic to the hacker who may have been outed.
posted by Nelson at 9:55 AM on February 21, 2006


Yah, the guy is not a total sleazebag because he claimed not to have used the stolen password information he gleaned off of those machines, but to do an interview for the Post and say “to tell the truth … I’m sorta surprised they haven’t caught me yet,” is just asking for trouble. I'm laughing my ass off at the whole thing.
posted by daHIFI at 9:56 AM on February 21, 2006


Nelson, maybe he should try to get his jury culled from those forums. Come on, a botmaster? Slime on the hull of the good ship Internet.
posted by fenriq at 9:58 AM on February 21, 2006


The other reason I posted this on my blog was because I've been getting most of my hits from people who have been scammed one way or the other, and I was hoping to bring a little more light to the methods these guys use to get on machines in the first place. Hopefully this will put some pressure on the companies this kid gets his checks from.
posted by daHIFI at 9:59 AM on February 21, 2006


"astute" reader, "vague" description. spellcheck nazi!
posted by jonson at 9:59 AM on February 21, 2006


Thank you Jonson. My spelling ability has gone down dramatically since I started using Word at work.
posted by daHIFI at 10:02 AM on February 21, 2006


It's a cool story, but I'd have waited a few days to post as an FPP. The Post may run a correction or an apology, and we have yet to see whether anyone actually does anything with the info posted on Slashdot.
posted by cribcage at 10:10 AM on February 21, 2006


I don't really feel that bad for him, considering his activities, but it does kind of suck that he was "outed" because of the Post's stupidity, not his own. OTOH, giving the interview in the first place was rather stupid. So it's kind of a wash.
posted by Sethamin at 10:10 AM on February 21, 2006


Live discussion about the article on the WP site right now...The metadata was mentioned:

Washington, D.C.: Are you aware that the Post failed to scrub the metadata from the images used in this article, leaving information about your town (starts with "R", ends with "d")? This was picked up by users of the Web site Slashdot over the weekend. Using other clues in the article, they were even able to guess the intersection where you live. Have you been contacted by law enforcement personnel? Do you intend to take action against the Post?

Brian Krebs
[host of the online chat]: As you know we take our obligations with sources very seriously and I don’t want to comment about any speculation about sources.
posted by poppo at 10:14 AM on February 21, 2006


I may be incredibly ignorant but how did the metadata come to contain the location information anyway? unless the photographer manually entered it, which seems unlikely... or do digital cameras have GPS nowadays?
posted by criticalbill at 10:15 AM on February 21, 2006


BTW, the questioner mistakenly assumes Brian Krebs was the subject of the article rather than the writer...
posted by poppo at 10:15 AM on February 21, 2006


The nearest businesses are a used-car lot, a gas station/convenience store and a strip club...

Why would the WP describe the neighborhood of their confidentail source's home? Creating metadata about where the photo was shot and then forgetting to remove it before posting to the web makes me suspicious that someone wanted this guy to get caught.
posted by nomad at 10:18 AM on February 21, 2006


Should I be able to read metadata by choosing "File Info" in Photoshop CS2 9.0?
posted by Protocols of the Elders of Awesome at 10:18 AM on February 21, 2006


I may be incredibly ignorant but how did the metadata come to contain the location information anyway? unless the photographer manually entered it, which seems unlikely.

Professional photographers tag this sort of information onto their photos manually, so that they have a way to find them later.
posted by I Love Tacos at 10:21 AM on February 21, 2006


That was pretty ballsy (and dumb) to grant an interview to the WP - bragging doesnt pay.

First rule of crime club. DO NOT TALK ABOUT CRIME CLUB.

But seriously, if you're doing something illegal, don't talk about it to anyone. The majority of people caught for major crimes are people who blab to their friends about it.
posted by delmoi at 10:25 AM on February 21, 2006


I may be incredibly ignorant but how did the metadata come to contain the location information anyway? unless the photographer manually entered it, which seems unlikely... or do digital cameras have GPS nowadays?

The information was probably entered manually by the photographer. Large news agencies usually have internal guidelines about religiously tagging digital pictures to keep them sorted, and the person who entered the metadata was likely on autopilot and just following the usual procedures.
posted by truex at 10:26 AM on February 21, 2006


Do you intend to take action against the Post?

There is certanly no legal obligation the post has to keep this stuff secret. You can't sue someone for talking about your crimes. LOL.
posted by delmoi at 10:27 AM on February 21, 2006


I read earlier today (but now can't find the bloody link) that the botnet kid is claiming the metadata is incorrect, and that he doesn't actually live in Roland, OK at all. He would say that, obviously, but the data is added manually after the fact, rather than automatically in the camera like EXIF, so it's possible...

Either way, as one of the Slashdotters points out, who knows how many anonymous sources could be outed thanks to metadata like this.
posted by jack_mo at 10:28 AM on February 21, 2006


It's interesting that all he did was install spyware on the rooted machines, rather then using them to send spam.

but it's my understanding that someone has to cause $2,500 worth of damage (or maybe more then that) before the FBI gets involved, and they have no idea who's machines have been hacked, in order to get complaints. And how could they? So many machines out there have spyware on them.

The cops can't just go bust someone because they think he might be a hacker, they need complaints first, and how could you show damages from having spyware installed.

It's a bit like stealing the newspaper from random people's yards. A minor annoyance, but no one person suffers enough damage to actually get someone to investigate.
posted by delmoi at 10:31 AM on February 21, 2006


Did the story remove the photo? I don't see it on any of the pages of the article.
posted by xmutex at 10:34 AM on February 21, 2006


Protocols: yes. Or upload it to flickr and they display it in a web-interface.

From /.

SLUG: mag/hacker
DATE: 12/19/2005
PHOTOGRAPHER: Sarah L. Voisin/TWP
id#: LOCATION: Roland, OK
CAPTION:
PICTURED: Canon Canon EOS 20D
Adobe Photoshop CS2 Macintosh 2006:02:16 15:44:49 Sarah L. Voisin


Best comment tho:

I never thought that journalists might leave metadata in their images -- I thought that they'd have some sort of automated content management system that would take in a TIFF or whatever and spit out a JPEG of the appropriate size for the current design of the web page.

I'm now wondering how many other news stories might have very much unintended data leaks through metadata tags in images. Possibly quite a hell of a lot.


I wonder what editorial policy is about this for non-anonymous subjects, since the photographer always gets the byline anyway, why bother to scrub it? Granted, it would probably be safter to just scrub everything.

I just tested another picture from the WAPO article, and it still had its EXIF data inside, but no location or name of photographer...

delmoi: The cops can't just go bust someone because they think he might be a hacker, they need complaints first, and how could you show damages from having spyware installed.

Maybe. What if you hire your nephew to repair the computer and pay him $25 to do it? That wouldn't be too hard to prove, if the law really wanted to go after this guy.
posted by tweak at 10:37 AM on February 21, 2006


I'm just wondering if anyone want's to place bets on how long before this guy gets A: arrested, B: sued, or C: both?

You forgot:

D: the shit kicked out of him
posted by Pollomacho at 10:37 AM on February 21, 2006


and yes, it appears the photo has been removed. It's only a matter of time before it finds its way back on the web, though, as several slashdot readers saved it to their machines, based on the comments.
posted by tweak at 10:38 AM on February 21, 2006


Did the story remove the photo? I don't see it on any of the pages of the article.

xmutex, according to the slashdot post, the picture was removed from the story. Which, if you think about it, suggests that the Post thought the metadata was problematic (i.e., accurate).
posted by pardonyou? at 10:40 AM on February 21, 2006


Stolen computer time. Mass violations of privacy. Causing endless headaches for users with shittily written spyware on their machines.

Please prosecute and make an example. If not for the crimes for the utter stupidity of flaunting his 10grand a month stolen money to a reporter. All his illegaly aquired funds should go back to the people who stole from him. I doubt RICO applies to this, but a class-action post-conviction would do nicely.

So long asshole.
posted by skallas at 10:42 AM on February 21, 2006


Whoa, my father's family lived in Roland, OK for a while around eighty years ago! I never thought I'd see the name unless I was looking for it on a map.

Oh, and that's quite a story. I guess that's what you get for talking to reporters.
posted by languagehat at 10:42 AM on February 21, 2006


oh and this comment is particularly scary, they've sort of pinpointed the hacker's location to this general area.

You can see the original photo under discussion online here. and here and here.
posted by tweak at 10:43 AM on February 21, 2006


And to suspect that this thing was intentionally falsified fails Occam's Razor. Why make it up that he's in Roland? How much work would that take to pick the town to match the description when it does appear there are indeed the businesses described in the article in Roland?

Note: all three photos I still linked to still have their EXIF data. WAPO is moving slow in internet time. I posted them to Flickr (private) to see for myself.
posted by tweak at 10:46 AM on February 21, 2006


I'm also curious what groups like the EFF are going to do now. Will they continue to tow the "hacking is cool and harmless Cory Doctorow" line or will they see this guy for the mass privacy violation machine and thief that he is and do their best to make sure victims receive compensation and that law enforcement gets as much info and support from the so called pro-privacy groups. Something tells me they'll just ignore this guy and keep collecting "information wants to be free"checks and complain about Sony 24/7.
posted by skallas at 10:47 AM on February 21, 2006


Someone should call the cops or the FBI before this guy heads to Mexico.
posted by tweak at 10:47 AM on February 21, 2006


but it's my understanding that someone has to cause $2,500 worth of damage (or maybe more then that) before the FBI gets involved, and they have no idea who's machines have been hacked, in order to get complaints. And how could they? So many machines out there have spyware on them.

Companies pay him over $10,000 a month for software he's installed on user's machines with the understanding that he's gotten their consent. I garauntee you its in the agreement. However, he hasn't gotten their consent. Therefore every dollar he's ever been paid by the companies is illegitimate enrichment, and rightly belongs to the company. All the FBI would need is one complaint from a company that he, in essense, stole money from, like 180solutions, to cross that $2,500 threshold; from the article 180 has been cooperating.

Also, funniest part of this whole thing: the pop-up wapo.com tried to launch (blockx0red!) when I read the article was for travelzoo, a company that engages in as much, if not more, affiliate/spyware/adware chicanery as 180solutions or any of the others that pay this guy.
posted by ChasFile at 10:51 AM on February 21, 2006


Newspapers have huge workflows and the exif/ipic data is one way for them to manage assets. I noticed in the goofy photos the NYT took of me ages ago that they included all sorts of bits like that.
posted by mathowie at 10:54 AM on February 21, 2006


Here's the link I refer to above:

Someone claiming to be 0x80:
funny is that that is way off from where i reside apprently from what i gathered from brian kreps was it was old metadata so im still safe. haha i guess luck is on my side :)
Also, this is apparently IPTC data, not EXIF.
posted by jack_mo at 10:58 AM on February 21, 2006


Something tells me [the EFF will] just ignore this guy and keep collecting "information wants to be free"checks and complain about Sony 24/7.

Your understanding of the various hacker subcultures is about as informed as those who can't tell a Salafist from a Sufi.

Sony is the party comparable to this guy, not whatever strawman you're imagining. Sony covertly installed rootkits on thousands and thousands of computers without the owners' permission, for monetary gain.

The EFF rightly opposed this and would undoubtedly oppose this guy's actions, with no inconsistency whatsoever.
posted by sonofsamiam at 10:59 AM on February 21, 2006


"but it does kind of suck that he was "outed" because of the Post's stupidity, not his own"

When did we start to refer to being caught in a crime as being "outed"..... bad use of the term. And, yes...he was stupid..he's in trouble because he is stupid, he does illegal things because he is stupid...let's not blame the Post for that.

The idiot is a criminal, a stupid criminal, and messes (I changed that word so as not to offend the faint of heart!) with other people's computers..

tar and feather the jackass!
posted by HuronBob at 11:01 AM on February 21, 2006


Something tells me that people will get some hardcore action involving his "backdoor" in prison...
posted by qvantamon at 11:11 AM on February 21, 2006


Maybe. What if you hire your nephew to repair the computer and pay him $25 to do it? That wouldn't be too hard to prove, if the law really wanted to go after this guy.

It might be enough if he happened to hit someone in his home town, but the cops arn't going to do much for $25. And it takes thousands and thousands of dollars to file a complaint. The FBI would need to track down hundreds of victims before they could really do anything.

They could go talk to him though, and ask him to stop. I've known two people who have been personaly asked to stop pirating stuff by the FBI.
posted by delmoi at 11:15 AM on February 21, 2006


ChasFile: It's $X amount in damages not $X amount of ill gotten gains. If I buy a stolen TV set, the thief hasn't stolen my money, just the TV.

Anyway, that's beside the point. These spyware companies know exactly who is installing their software, and they don't really care as long as they're not getting scammed themselves. The spyware companies have made money through this agreement, not lost it.

That said, I suppose the FBI might get involved if there was a general pressure put on them, which might happen with this story, etc.
posted by delmoi at 11:23 AM on February 21, 2006


When did we start to refer to being caught in a crime as being "outed"..... bad use of the term.

Out of hiding? "Coming out party?" It's an older usage that the "coming out" as gay usage.
posted by Pollomacho at 11:33 AM on February 21, 2006


ChasFile: It's $X amount in damages not $X amount of ill gotten gains. If I buy a stolen TV set, the thief hasn't stolen my money, just the TV.

Geez.

1) If he recieved money from the company in violation of their agreement with him, then the company has suffered damages in the amount of whatever they paid him. Indeed, maybe more, because they lost the opprotunity to pay that money to a legitimate contractor that would have rendered the services required under the agreement. Since he didn't get consent, legally the adservers can't use his refers, so under the agreement the money should never have been paid. Granted, its a civil matter, and the involvement of the FBI might still be iffy, but the point is that to suggest he's done less than many thousands of dollars worth of harm is silly.

2) I don't really get the TV analogy here. Sure, I'm up a TV and down the money, but if we had an agreement that said something along the lines of "seller garauntees that the TV in question is legally his to sell and that he obtained said TV with the full acknowledgement and blessing of his supplier, or else the deal is invalid and no transaction will take place," which, if you substitute "adware space installed on a third party's machine" for "TV" and "malicious hacker" for "seller" and "critical update non-installing rube with a cable modem" for "supplier," is basically what is in place between these companies and guys like 0x80, then that kind of changes things, right?

Anyway, that's beside the point. These spyware companies know exactly who is installing their software, and they don't really care as long as they're not getting scammed themselves. The spyware companies have made money through this agreement, not lost it.

I can't really disagree with much of that. I maintain that from a legal standpoint, under the terms of their agreements, they have been damaged by 0x80 and his ilk for substantial sums. I however cannot deny that not only have they made substantial sums in "spite" of this, they certainly don't discourage that kind of behavior. Indeed, to a very real extend they are complicit themselves for encouraging and rewarding illegal activities, and if the feds have any balls or brains at all (rare coincidence) they'll forget about 0x80 and go after the big boys like 180solutions and gamma-cash that are the real sources of all these problems.
posted by ChasFile at 11:58 AM on February 21, 2006


Did the story remove the photo? I don't see it on any of the pages of the article.
posted by xmutex at 1:34 PM EST on February 21 [!]


It was there last night, now gone today.

I have no sympathy for the bot boy. Karma can be a bitch. However, WaPo sticks another pin into the journalism voodoo doll with this mistake. It makes it that much harder for the next reporter to get a story from a nervous source.
posted by caddis at 12:12 PM on February 21, 2006


I thought that they'd have some sort of automated content management system that would take in a TIFF or whatever and spit out a JPEG of the appropriate size for the current design of the web page. (quoted above from Slashdot)

Photoshop carries over the EXIF/IPIC from the source images. I was just wondering the other day how much people have become aware of the carryover issues, since Photoshop-wise, I've been trying to get less data to carry through.
posted by VulcanMike at 12:55 PM on February 21, 2006


Firefox EXIF extension
posted by AaronRaphael at 1:15 PM on February 21, 2006


The Washington Post site had a "live online" interview with the story's author this afternoon. Only one question about this was answered:
Washington, D.C.: Are you aware that the Post failed to scrub the metadata from the images used in this article, leaving information about your town? This was picked up by users of the Web site Slashdot over the weekend. Using other clues in the article, they were even able to guess the intersection where you live. Have you been contacted by law enforcement personnel? Do you intend to take action against the Post?

Brian Krebs: As you know we take our obligations with sources very seriously and I don't want to comment about any speculation about sources.

Editor's Note: This question was edited to remove a specific reference to the town name.
posted by xiann at 1:47 PM on February 21, 2006


All that will happen to him is he'll win a gold medal in skiing.
posted by QIbHom at 1:49 PM on February 21, 2006


Photoshop carries over the EXIF/IPIC from the source images. I was just wondering the other day how much people have become aware of the carryover issues, since Photoshop-wise, I've been trying to get less data to carry through.

"Save for web" (at least in PS 7) removes EXIF stuff, which is annoying because flickr dosn't know when I took my pictures. So I had to stop doing that.

Anyway.
posted by delmoi at 2:08 PM on February 21, 2006


Editor's Note: This question was edited to remove a specific reference to the town name.

Which suggests they had it right?

(btw, you can see the original question, with reference included, in poppo's post).
posted by pardonyou? at 2:14 PM on February 21, 2006


AaronRaphael: Firefox EXIF extension

Sweet. Please can someone write a GM script which overlays a dot in the corner of an image if it contains extended EXIF information?
posted by blag at 3:51 PM on February 21, 2006


Since nobody who can demonstrate real damage will be able to file a complaint, I'd bet he will just be destroyed by vigilante justice. It doesn't matter what the law may say, the mob has judged him guilty, and those whom the internets notice, they destroy.
posted by Megafly at 6:23 PM on February 21, 2006


nothing is going to happen to him because the american government is too busy trying to outlaw science, and giving money to large companies...
posted by stilgar at 8:42 PM on February 21, 2006


skallas - Did Cory Doctorow pee in your Count Chocula or something?
posted by swell at 10:26 PM on February 21, 2006


I live literally 5 minutes away from Roland in Fort Smith, AR and I can tell you that I 100% believe that's where he really is from the description of the town in the article. The gas station is probably The Super Stop, right across the street from Roland's only supermarket. The used car lot is probably Blue Ribbon Downs where I bought my last car, and the strip club is definitely Cheyenne's ( the only strip club in a 50 mile radius because of decency laws in the bigger towns.) There's a little subdivision right in that area but I couldn't for the life of me remember the name.

I'm sure he'd tell you this himself, but much better to be raided by the feds than Roland PD. They are absolute bastards who are still under investigation for shooting and killing a man last year for running a red light.
posted by Ugh at 10:34 PM on February 21, 2006


caddis writes "I have no sympathy for the bot boy. Karma can be a bitch. However, WaPo sticks another pin into the journalism voodoo doll with this mistake. It makes it that much harder for the next reporter to get a story from a nervous source."

caddis gets it totally right.
posted by OmieWise at 8:08 AM on February 22, 2006


« Older Takeshi no Chousenjou...  |  I'm sorry Mr. Callahan, your s... Newer »


This thread has been archived and is closed to new comments