Comments on: computer whiz vs extortionist

computer whiz vs extortionist

dhruva — Tue, 14 Mar 2006 16:51:44 -0800

How a Bookmaker and a Whiz Kid Took On an Extortionist — and Won Facing an online extortion threat, Mickey Richardson bet his Web-based business on a networking whiz from Sacramento who first beat back the bad guys, then helped the cops nab them.

By: kensanway

kensanway — Tue, 14 Mar 2006 17:37:44 -0800

This was really interesting! There seems to be a typo in the last quote, where it sounds like Lyon impeaches himself?

By: russilwvong

russilwvong — Tue, 14 Mar 2006 17:43:42 -0800

That's awesome.

By: kaemaril

kaemaril — Tue, 14 Mar 2006 17:48:14 -0800

Hmm. Seems vaguely familiar. Looks at timestamp ... Saturday, Nov. 22, 2003?! Oh, come on!

By: solipse

solipse — Tue, 14 Mar 2006 17:54:34 -0800

Yeah, I remember reading this years ago....but it is still pretty interesting if you haven't seen it before.

By: TravellingDen

TravellingDen — Tue, 14 Mar 2006 18:05:58 -0800

This was a long time ago. It was not uncommon to see botnets of 30,000 hosts, and to be attacked with well over 1Gbps of traffic. It was amazing. What was more amazing was despite the sums of money involved, and the resources the attackers had on hand, they did basically no research whatsoever into the infrastructure of the sites they were attacking, or which sites were owned by the same company, or anything like that. In some respects it was really amazing, in others, it was very uninformed and clumsy. These were not sophisticated hackers or criminals.. they were russian script kiddies with ties to organized crime and a feeling of impunity. Some interesting followup, DDOS attacks against online sportsbooks have basically been a non-issue since I believe spring of 2004. Many operations beefed up their infrastructure, and there were several high profile arrests in Russia and elsewhere, organized by multi-national police cooperation. The trials are still ongoing to this day. Nowadays, the books know better than to pay up, the infrastructure is more resilient, and the ISPs are more cooperative in dealing with the issue.

By: roguescout

roguescout — Tue, 14 Mar 2006 18:09:45 -0800

They should fill those criminals up with this and cause them to have a fatal Denial of Elimination Attack!

By: rkent

rkent — Tue, 14 Mar 2006 18:13:07 -0800

This was really interesting! There seems to be a typo in the last quote, where it sounds like Lyon impeaches himself? I didn't take it that way; seemed to me he was saying he would had to have cloned himself to be working both sides of this, since he was working so hard just on the one side.

By: tweak

tweak — Tue, 14 Mar 2006 18:16:36 -0800

That's still a really cool story, and reminded me of Cuckoo's Egg.

By: soiled cowboy

soiled cowboy — Tue, 14 Mar 2006 19:04:57 -0800

Great story.

By: rxrfrx

rxrfrx — Tue, 14 Mar 2006 19:23:00 -0800

a classic

By: arcticwoman

arcticwoman — Tue, 14 Mar 2006 19:27:31 -0800

Neat.

By: alfaspider71

alfaspider71 — Tue, 14 Mar 2006 19:31:34 -0800

Interesting story, but a bit old. Definitely worth a read if you haven't seen it.

By: flabdablet

flabdablet — Tue, 14 Mar 2006 19:44:01 -0800

I like the way the victim ends up $1m + $50k/year out of pocket to a white hat, instead of $40k out of pocket to a black hat. It seems to me that instead of entering into a never-ending networking arms race, it might be better simply to get an insurer to pay the extortionist off for you. I'm no actuary, but it seems to me that the premiums would cost less for individual businesses than either consultants' fees or extortion payments; also, the underwriter would end up with way more than $1m to play with, and a direct financial interest in employing investigators to follow money trails and track down miscreants. This is kind of a similar approach to what the banks take in respect of credit card fraud. Everybody understands that credit cards are massively insecure, and that some degree of fraud is inevitable; but rather than change card procedures until they're inconveniently secure, the interest rates are jacked up enough to cover the fraud losses.

By: MrMoonPie

MrMoonPie — Tue, 14 Mar 2006 19:54:46 -0800

Whiz kid. Wiz kid.

By: tweak

tweak — Tue, 14 Mar 2006 20:15:14 -0800

flabdablet: and so what happens if you get extorted more than once a year, by more than one botnet owner. This isn't like Mafia protection money, that's the wrong way of looking at it. It's not like if you pay the Russian script kiddie to stop fucking with you, other script kiddies won't try the same thing. It's more like operating a bank with no lock on the vault; sure, the lock is pretty expensive, but if you don't invest in it initially, eventually more and more people are going to rob you until you get put out of business. What will be really interesting to see is when someone who gets seriously fucked with by a hacker or scammer fights back IRL by hiring another criminal to take out the extortionist in an illegal manner.

By: pruner

pruner — Tue, 14 Mar 2006 20:42:44 -0800

kaemaril - Looks at timestamp ... Saturday, Nov. 22, 2003?! Oh, come on! actually, the article is from May 2005. that "timestamp" is part of the article.

By: Mitrovarr

Mitrovarr — Tue, 14 Mar 2006 20:45:36 -0800

It seems that it'd be more efficient in some of these cases to hire private investigators, instead of beefing the hell out of the infrastructure. I'm sure it's hard to track these guys down on the internet, but large amounts of money changing hands usually leaves a nice fat paper trail. Hire some guys to track that down, get your money back, and make an example out of the extortionists in the local courts. Much more effective than paying them off, which will only encourage more and more of this.

By: rkent

rkent — Tue, 14 Mar 2006 20:56:16 -0800

tweak: you misunderstood his suggestion. The point is that you pay the insurance company and they pay all extortionists; the rate is set such that they make enough revenue to hire some investigators and hunt down some of them as a means of deterrence. It's certainly the better option from the business perspective, as long as the rates would actually be affordable. And I'm not sure what authority the insurance company would really have to do anything to the offenders, regardless of how much incentive they had. They're probably judgment-proof and so there would need to be a good deal of state cooperation if this was to work. An interesting idea though.

By: Ogre Lawless

Ogre Lawless — Tue, 14 Mar 2006 21:22:14 -0800

Interesting geek intrigue story. Good link.

By: zardoz

zardoz — Tue, 14 Mar 2006 21:25:06 -0800

That was very long and I didn't really understand half of it but it was fascinating nonetheless.

By: kensanway

kensanway — Tue, 14 Mar 2006 21:34:14 -0800

Well, regarding the whole problem of the commons thing, another idea that might make more sense is for the companies to pool their funds to pay a consultant, thus reducing their prices, and then share the software and techniques the consultant produces. Eventually other consultants enter, leading to competition, lowering prices, etc. But apparently, this isn't a problem anymore?

By: hwestiii

hwestiii — Wed, 15 Mar 2006 05:30:44 -0800

I've seen this story in two different places in the last year. The first was the aticle in the FPP when it was originally published last spring. Wired also covered it here.

By: Jairus

Jairus — Wed, 15 Mar 2006 05:57:58 -0800

Richardson considered paying off the extortionists. Now Richardson has a better option. Pay Lyon $50,000 a year and he's protected. He doesn't have to worry about paying extortionist's protection fees. Heh heh heh.

By: stratastar

stratastar — Wed, 15 Mar 2006 07:14:16 -0800

The New Yorker also wrote up this story, but this one is told much better. Lyon's other project opte.org has very cool pictures of the interconnectedness of the internet. Ooh and they have a picture of a DDoS attack.

By: login

$50000 per year might seem stiff until you realize this is being billed to companies that sell little bits of _nothing_ at a huge markup. These are the guys that will pay 10 grand for a toasted cheese sandwich, so $50000 for peace of mind is nothing. (great link. old, but a fun read)

By: Optimus Chyme

Optimus Chyme — Wed, 15 Mar 2006 08:38:53 -0800

New to me. Thanks for the read.

By: russilwvong

russilwvong — Tue, 21 Mar 2006 13:38:57 -0800

A couple articles on volunteer groups which are hunting down botnets, via slashdot: Washington Post, eWeek. After reading a few of these articles, I got paranoid enough that I reinstalled Windows on my home PC.