Tag Archives: Legal Issues

Two Israeli Men Arrested For Running VDoS-s.com DDoS Service

Post Syndicated from Darknet original http://feedproxy.google.com/~r/darknethackers/~3/omE-YkT-2F0/

DDoS or Booter services have been around for a while, but VDoS-s.com was a particularly slick (and shameless) one with a content marketing strategy and active social media accounts. Two Israeli men were arrested for running the service after ironically being hacked by a security researcher. They called their service a ‘Stresser’ and claimed to…

Read the full post at darknet.org.uk

Serial Swatter, Stalker and Doxer Mir Islam Gets Just 1 Year in Jail

Post Syndicated from BrianKrebs original https://krebsonsecurity.com/2016/07/serial-swatter-stalker-and-doxer-mir-islam-gets-just-1-year-in-jail/

Mir Islam, a 21-year-old Brooklyn man who pleaded guilty to an impressive array of cybercrimes including cyberstalking, “doxing” and “swatting” celebrities and public officials (as well as this author), was sentenced in federal court today to two years in prison. Unfortunately, thanks to time served in this and other cases, Islam will only see a year of jail time in connection with some fairly heinous assaults that are becoming all too common.

While Islam’s sentence fell well short of the government’s request for punishment, the case raises novel legal issues as to how federal investigators intend to prosecute ongoing cases involving swatting — an extremely dangerous prank in which police are tricked into responding with deadly force to a phony hostage crisis or bomb scare at a residence or business.

Mir Islam, at his sentencing hearing today. Sketches copyright by Hennessy / CourtroomArt.com

Mir Islam, at his sentencing hearing today. Sketches copyright by Hennessy / CourtroomArt.com. Yours Truly is pictured in the blue shirt behind Islam.

On March 14, 2014, Islam and a group of as-yet-unnamed co-conspirators used a text-to-speech (TTY) service for the deaf to relay a message to our local police department stating that there was an active hostage situation going on at our modest town home in Annandale, Va. Nearly a dozen heavily-armed officers responded to the call, forcing me out of my home at gunpoint and putting me in handcuffs before the officer in charge realized it was all a hoax.

At the time, Islam and his pals were operating a Web site called Exposed[dot]su, which sought to “dox” public officials and celebrities by listing the name, birthday, address, previous address, phone number and Social Security number of at least 50 public figures and celebrities, including First Lady Michelle Obama, then-FBI director Robert Mueller, and then Central Intelligence Agency Director John Brennan.

Exposed.su also documented which of these celebrities and public figures had been swatted, including a raft of California celebrities and public figures, such as former California Governor Arnold Schwartzenegger, actor Ashton Kutcher, and performer Jay Z.

Exposed[dot]su was built with the help of identity information obtained and/or stolen from ssndob[dot]ru.

Exposed[dot]su was built with the help of identity information obtained and/or stolen from ssndob[dot]ru.

At the time, most media outlets covering the sheer amount of celebrity exposure at Exposed[dot]su focused on the apparently starling revelation that “if they can get this sensitive information on these people, they can get it on anyone.” But for my part, I was more interested in how they were obtaining this data in the first place.

On March 13, 2013 KrebsOnSecurity featured a story — Credit Reports Sold for Cheap in the Underweb –which sought to explain how the proprietors of Exposed[dot]su had obtained the records for the public officials and celebrities from a Russian online identity theft service called sssndob[dot]ru.

I noted in that story that sources close to the investigation said the assailants were using data gleaned from the ssndob[dot]ru ID theft service to gather enough information so that they could pull credit reports on targets directly from annualcreditreport.com, a site mandated by Congress to provide consumers a free copy of their credit report annually from each of the three major credit bureaus.

Peeved that I’d outed his methods for doxing public officials, Islam helped orchestrate my swatting the very next day. Within the span of 45 minutes, KrebsOnSecurity.com came under a sustained denial-of-service attack which briefly knocked my site offline.

At the same time, my hosting provider received a phony letter from the FBI stating my site was hosting illegal content and needed to be taken offline. And, then there was the swatting which occurred minutes after that phony communique was sent.

All told, the government alleges that Islam swatted at least 19 other people, although only seven of the victims (or their representatives) showed up in court today to tell similarly harrowing stories (I was asked to but did not testify).

Officers responding to my 2013 swatting incident.

Security camera footage of Fairfax County police officers responding to my 2013 swatting incident.

Going into today’s sentencing hearing, the court advised that under the government’s sentencing guidelines Islam was facing between 37 and 46 months in prison for the crimes to which he’d pleaded guilty. But U.S. District Court Judge Randolph Moss seemed especially curious about the government’s rationale for charging Islam with conspiracy to transmit a threat to kidnap or harm using a deadly weapon.

Judge Moss said the claim raises a somewhat novel legal question: Can the government allege the use of deadly force when the perpetrator of a swatting incident did not actually possess a weapon?

Corbin Weiss, an assistant US attorney and a cybercrime coordinator with the U.S. Department of Justice, argued that in most of the swatting attacks Islam perpetrated he expressed to emergency responders that any responding officers would be shot or blown up. Thus, the government argued, Islam was using police officers as a proxy for assault with a deadly weapon by ensuring that responding officers would be primed to expect a suspect who was armed and openly hostile to police.

Islam’s lawyer argued that his client suffered from multiple psychological disorders, and that he and his co-conspirators orchestrated the swattings and the creation of exposed[dot]su out of a sense of “anarchic libertarianism,” bent on exposing government overreach on consumer privacy and use of force issues.

As if to illustrate his point, a swatting victim identified by the court only as Victim #4 was represented by Fairfax, Va. lawyer Mark Dycio. That particular victim did not wish to be named or show up in court, but follow-up interviews confirmed that Dycio was representing Wayne LaPierre, the executive vice president of the National Rifle Association.

According to Dycio, police responded to reports of a hostage situation at the NRA boss’s home just days after my swatting in March 2013. Impersonating LaPierre, Islam told police he had killed his wife and that he would shoot any officers responding to the scene. Dycio said police initially had difficulty identifying the object in LaPierre’s hand when he answered the door. It turned out to be a cell phone, but Dycio said police assumed it was a weapon and stripped the cell phone from his hands when entering his residence. The police could have easily mistaken the mobile phone for a weapon, Dycio said.

Another victim that spoke at today’s hearing was Stephen P. Heymann, an assistant U.S. attorney in Boston. Heymann was swatted because he helped prosecute the much-maligned case against the late Aaron Swartz, a computer programmer who committed suicide after the government by most estimations overstepped its bounds by charging him with hacking for figuring out an automated way to download academic journals from the Massachusetts Institute of Technology (MIT).

Heymann, whose disability requires him to walk with a cane, recounted the early morning hours of April 1, 2013, when police officers surrounded his home in response to a swatting attack launched by Islam on his residence. Heymann recalled worrying that officers responding to the phony claim might confuse his cane with a deadly weapon.

One of the victims represented by a proxy witness in today’s hearings was the wife of a SWAT team member in Arizona who recounted several tense hours hunkered down at the University of Arizona, while her husband joined a group of heavily-armed police officers who were responding to a phony threat about a shooter on the campus.

Not everyone had nightmare swatting stories that aligned neatly with Islam’s claims. A woman representing an anonymous “Victim #3” of Islam’s was appearing in lieu of a cheerleader at the University of Arizona that Islam admitted to cyberstalking for several months. When the victim stopped responding to Islam’s overtures, he phoned in an active shooter threat to the local police there that a crazed gunman was on the loose at the University of Arizona campus.

According to Robert Sommerfeld, police commander for the University of Arizona, that 2013 swatting incident involved 54 responding officers, all of whom were prevented from responding to a real emergency as they moved from building to building and room to room at the university, searching for a fictitious assailant. Sommerfeld estimates that Islam’s stunt cost local responders almost $40,000, and virtually brought the business district surrounding the university to a standstill for the better part of the day.

Toward the end of today’s sentencing hearing, Islam — bearded, dressed in a blue jumpsuit and admittedly 75 pounds lighter than at the time of his arrest — addressed the court. Those in attendance who were hoping for an apology or some show of remorse from the accused were left wanting as the defendant proceeded to blame his crimes on multiple psychological disorders which he claimed were not being adequately addressed by the U.S. prison system. Not once did Islam offer an apology to his victims, nor did he express remorse for his actions.

“I didn’t expect to go as far as I did, but because of these disorders I felt I was invincible,” Islam told the court. “The mistakes I made before, I have to pay for that. I understand that.”

Sentences that noticeably depart from the government’s sentencing guidelines are grounds for appeal by the defendant, and Judge Moss today seemed reluctant to imprison Islam for the maximum 46 months allowed under the criminals statutes to which Islam had admitted to violating. Judge Moss also seemed to ignore the fact that Islam expressed exactly zero remorse for his crimes.

Central to the judge’s reluctance to sentence Islam to the statutory maximum penalty was Islam’s 2012 arrest in connection with a separate cybercrime sting orchestrated by the FBI called Operation Card Shop, in which federal agents created a fake cybercrime forum dedicated to credit card fraud called CarderProfit[dot]biz.

U.S. law enforcement officials in Washington, D.C. involved in prosecuting Islam for his swatting, doxing and stalking crimes were confident that Islam would be sentenced to at least two years in prison for trying to sell and buy stolen credit cards from federal agents in the New York case, thanks to a law that imposes a mandatory two-year sentence for crimes involving what the government terms as “aggravated identity theft.”

Much to the government’s chagrin, however, the New York judge in that case sentenced Islam to just one day in jail. But by his own admission, even while Islam was cooperating with federal prosecutors in New York he was busy orchestrating his swatting attacks and administering the Exposed[dot]su Web site.

Islam was re-arrested in September 2013 for violating the terms of his parole, and for the swatting and doxing attacks to which he pleaded guilty. But the government didn’t detain Islam in connection with those crimes until July 2015. Since Islam has been in federal detention since then, and Judge Moss seemed eager to ensure that this would count as time served against Islam’s sentence, meaning that Islam will serve just 12 months of his 24-month sentence before being released.

There is absolutely no question that we need to have a serious, national conversation about excessive use of force by police officers, as well as the over-militarization of local police forces nationwide.

However, no one should be excused for perpetrating these potentially deadly swatting hoaxes, regardless of the rationale. Judge Moss, in explaining his brief deliberation on arriving at Islam’s two-year (attenuated) sentence, said he hoped to send a message to others who would endeavor to engage in swatting attacks. In my estimation, today’s sentence sent the wrong message, and missed that mark by a mile.

Criminal Rings Hijacking Unused IPv4 Address Spaces

Post Syndicated from Darknet original http://feedproxy.google.com/~r/darknethackers/~3/kpnWMV__skk/

So apparently this Hijacking Unused IPv addresses has been going on for a while, but with quite a lot number of attempts recently it’s ramped up a LOT since the September announcement by ARIN about IPv4 depletion. There was only only 50 hijacking attempts between 2005 and 2015. Since September, ARIN has already seen 25 […]

The post Criminal…

Read the full post at darknet.org.uk

The Panama Papers Leak – What You Need To Know

Post Syndicated from Darknet original http://feedproxy.google.com/~r/darknethackers/~3/SPqd2S03BBo/

The HUGE news this week is the Panama Papers leak, a massive cache of 11.5 million documents leaked to a German Newspaper (Süddeutsche Zeitung) in August 2015. It’s one of the most significant data leaks of all time and Edward Snowden has labelled it as “the biggest leak in the history of data journalism”. It’s […]

The post The Panama…

Read the full post at darknet.org.uk

Panama Papers Endanger Anonymity of ‘Pirate’ Sites

Post Syndicated from Ernesto original http://feedproxy.google.com/~r/Torrentfreak/~3/-hSWqrh2tyE/

megaupload-logoThis weekend an unprecedented database of over 11 million files leaked from Mossack Fonseca, the world’s largest offshore law firm.

The database was initially leaked to the German newspaper Süddeutsche Zeitung by an anonymous source. The newspaper then shared it which the International Consortium of Investigative Journalists (ICIJ), who involved hundreds of journalists around the world.

The reporting thus far has mainly focused on how some of the wealthiest people in the world used offshore companies to launder money and avoid tax. However, Mossack Fonseca is also frequently used as a privacy tool.

This explains why the names of two former Megaupload employees appear in the Panama Papers. As reported by Trouw, early 2010 Dutch programmer Bram Van der Kolk and Slovak designer Julius Bencko started a an offshore company with help from Mossack Fonseca.

Van der Kolk and Bencko are both wanted by the U.S. Government for their involvement with Megaupload. However, their British Virgin Islands-based company “Easy Focus Technology Limited” had nothing to do with the defunct file-sharing service.

In fact, Van der Kolk says that the reason to use an offshore company was to remain anonymous and hide their ties to Megaupload.

“The British Virgin Islands are for companies what Mega is for files: privacy, at least as long as the information does not leak from the trust office!” Van der Kolk says.

The pair didn’t want Megaupload boss Kim Dotcom to know about their side-project, as he might have objected to it. Nothing more than that.

“Not so much because our project was competing with Megaupload or that we could thus spend less time on Megaupload. More because Kim would never allow it in principle, and it would lead directly to an unnecessary escalation.”

This anonymity aspect is also crucial for a lot of names that appear in the Panama Papers. For example, many “pirate” sites use offshore companies to keep the owners out of the public view. This may help to avoid legal issues, for example.

This is believed to be one of the main reasons why several torrent sites, pirate streaming services and file-hosting companies are located in the British Virgin Islands, Cyprus, Jersey, Panama and the Seychelles.

The Pirate Bay’s “parent company” Reservella, for example, is reportedly incorporated in the Seychelles. In fact, during a lawsuit in the Netherlands anti-piracy group BREIN showed evidence (pdf) listing Mossack Fonseca as Reservella’s registered agent.

Interestingly, Mossack Fonseca denied that they had anything to do with the company (pdf), suggesting that the report BREIN produced may have been fabricated.

TorrentFreak spoke with several Pirate Bay insiders who confirm that Reservella should not appear in the Panama Papers, nor do they expect any other TPB-info to turn up from the leaked documents.

Still, the privacy element will certainly have several other “pirate” sites worried that their owners may be exposed in the future. Thus far no public directory of names and companies have been released, but if that happens there is bound to be more panic.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

FBI Backed Off Apple In iPhone Cracking Case

Post Syndicated from Darknet original http://feedproxy.google.com/~r/darknethackers/~3/YOaaAx6weag/

So the big furore this week is because the FBI backed off Apple in the whole Apple vs the World privacy case regarding cracking the iPhone Passcode of the phone belonging to the San Bernardino gunman Syed Farook. If you’re not familiar with the case, catch up with it here: FBI–Apple encryption dispute. The latest […]

The post FBI Backed Off…

Read the full post at darknet.org.uk

The VMware Hearing and the Long Road Ahead

Post Syndicated from Bradley M. Kuhn original http://ebb.org/bkuhn/blog/2016/02/29/VMware.html

[ This blog was crossposted
on Software Freedom Conservancy’s website
. ]

On last Thursday, Christoph Hellwig and his legal counsel attended a
hearing in
Hellwig’s VMware
case
that Conservancy currently funds. Harald Welte, world famous for
his GPL enforcement work in the early 2000s, also attended as an
observer and wrote
an excellent
summary
. I’d like to highlight a few parts of his summary, in the
context of Conservancy’s past litigation experience regarding the GPL.

First of all, in great contrast to the cases here in the USA, the Court
acknowledged fully the level of public interest and importance of the case.
Judges who have presided over Conservancy’s GPL enforcement cases USA
federal court take all matters before them quite seriously. However, in
our hearings, the federal judges preferred to ignore entirely the public
policy implications regarding copyleft; they focused only on the copyright
infringement and claims related to it. Usually, appeals courts in the USA
are the first to broadly consider larger policy questions. There are
definitely some advantages to the first Court showing interest in the
public policy concerns.

However, beyond this initial point, I was struck that Harald’s summary
sounded so much like the many hearings I attended in the late 2000’s and
early 2010’s regarding Conservancy’s BusyBox cases. From his description,
it sounds to me like judges around the world aren’t all that different:
they like to ask leading questions and speculate from the bench. It’s
their job to dig deep into an issue, separate away irrelevancies, and
assure that the stark truth of the matter presents itself before the Court
for consideration. In an adversarial process like this one, that means
impartially asking both sides plenty of tough questions.

That process can be a rollercoaster for anyone who feels, as we do, that
the Court will rule on the specific legal issues around which we have built
our community. We should of course not fear the hard questions of judges;
it’s their job to ask us the hard questions, and it’s our job to answer
them as best we can. So often, here in the USA, we’ve listened to Supreme
Court arguments (for which the audio is released publicly), and every
pundit has speculated incorrectly about how the justices would rule based
on their questions. Sometimes, a judge asks a clarification question
regarding a matter they already understand to support a specific opinion
and help their colleagues on the bench see the same issue. Other times,
judges asks a questions for the usual reasons: because the judges
themselves are truly confused and unsure. Sometimes, particularly in our
past BusyBox cases, I’ve seen the judge ask the opposing counsel a question
to expose some bit of bluster that counsel sought to pass off as settled
law. You never know really why a judge asked a specific question until you
see the ruling. At this point in the VMware case, nothing has been
decided; this is just the next step forward in a long process. We enforced
here in the USA for almost five years, we’ve been in litigation in Germany
for about one year, and the earliest the Germany case can possibly resolve
is this May.

Kierkegaard wrote that it is perfectly true, as the philosophers say,
that life must be understood backwards. But they forget the other
proposition, that it must be lived forwards. Court cases are a prime
example of this phenomenon. We know it is gut-wrenching for our
Supporters to watch every twist and turn in the case. It has taken so
long for us to reach the point where the question of a combined work of
software under the GPL is before a Court; now that it is we all want this
part to finish quickly. We remain very grateful to all our Supporters
who stick with us, and the new ones who will join
today
. That
funding makes it possible for Conservancy to pursue this and other
matters to ensure strong copyleft for our future, and handle every other
detail that our member projects need. The one certainty is that our best
chance of success is working hard for plenty of hours, and we appreciate
that all of you continue to donate so that the hard work can continue.
We also thank the Linux developers in Germany, like Harald, who are
supporting us locally and able to attend in person and report back.

FaiFCast Release, and Submit to FOSDEM Legal & Policy Issues DevRoom

Post Syndicated from Bradley M. Kuhn original http://ebb.org/bkuhn/blog/2011/12/16/faif-fosdem.html

Today Karen Sandler and I
released Episode 0x1E of
the Free as in Freedom oggcast
(available
in ogg
and mp3
formats). There are two important things discussed on that oggcast that
I want to draw your attention to:

Submit a proposal for the Legal & Policy Issues DevRoom
CFP

Tom
Marble
, Richard
Fontana
, Karen Sandler, and I are coordinating
the Legal
and Policy Issues DevRoom

at FOSDEM 2012.
The Call
for Participation for the DevRoom is now available
. I’d like to
ask anyone reading this blog post who has an interest in policy and/or
legal issues related to software freedom to submit a talk by Friday 30
December 2011, by
emailing <fosdem-legal@faif.us>.

We only have about six slots for speakers (it’s a one-day DevRoom), so
we won’t be able to accept all proposals. I just wanted to let everyone
know that so you don’t flame me if you submit and get rejected.
Meanwhile, note that our goal is to avoid the “this is what
copyrights, trademarks and patents are” introductory talks. Our
focus is on complex issues for those already informed about the basics.
We really felt that the level of discourse about legal and policy issues
at software freedom conferences needs to rise.

There are, of course, plenty of secret membership
clubs 0, even some with their own
private conferences, where these sorts of important issues are discussed.
I personally seek to move high-level policy discussion and debate out of
the secret “old-boys” club backrooms and into a public space
where the entire software freedom community can discuss openly important
legal and policy questions in the community. I hope this DevRoom is a
first step in that direction!

Issues & Questions List for the Software Freedom Non-Profits Debate

I’ve made
reference
recently
to debates about the value of non-profit organizations for software
freedom projects.
In FaiFCast 0x1E,
Karen and I discuss the debate in depth. As part of that, as you’ll see
in the show notes, I’ve made a list of issues that I think were fully
conflated during the recent debates. I can’t spare the time to opine in
detail on them right now (although Karen and I do a bit of that in the
oggcast itself), but I did want to copy the list over here in my blog,
mainly to list them out as issues worth thinking about in a software
freedom non-profit:

Should a non-profit home decide what technical infrastructure is
used for a software freedom project? And if so, what should it be?

If the non-profit doesn’t provide technological services, should
non-profits allow their projects to rely on for-profits for
technological or other services?

Should a non-profit home set political and social positions that
must be followed by the projects? If so, how strictly should they be
enforced?

Should copyrights be held by the non-profit home of the project, or
with the developers, or a mix of the two?

Should the non-profit dictate licensing requirements on the
project? If so, how many licenses and which licenses are
acceptable?

Should a non-profit dictate strict copyright provenance
requirements on their projects? If not, should the non-profit at least
provide guidelines and recommendations?

This list of questions is far from exhaustive, but I
think it’s a pretty good start.

0 Admittedly, I’ve got a
proverbial axe to grind about these secretive membership-only groups,
since, for nearly all of them, I’m persona non grata. My frustration
level in this reached a crescendo when, during a session at LinuxCon
Europe recently, I asked for the criteria to join one such private legal
issues discussions group, and I was told the criteria themselves were
secret. I pointed out to the coordinators of the forum that this wasn’t a
particularly Free Software friendly way to run a discussion group, and
they simply changed the subject. My hope is that this FOSDEM DevRoom can
be a catalyst to start a new discussion forum for legal and policy issues
related to software freedom that doesn’t have this problem.

BTW, just to clarify: I’m not talking
about FLOSS Foundations as
one of these secretive, members-only clubs. While the FLOSS Foundations
main mailing list is indeed invite-only, it’s very easy to join and the
only requirement is: “if you repost emails from this list
publicly, you’ll probably be taken off the mailing list”. There
is
no “Chatham
House Rule”
or other silly, unenforceable, and
spend-inordinate-amount-of-times-remembering-how-to-follow rules in
place for FLOSS Foundations, but such silly rulesets are now common with
these other secretive legal issues meeting groups.

Finally, I know I haven’t named publicly the members-only clubs I’m
talking about here, and that’s by design. This is the first time I’ve
mentioned them at all in my blog, and my hope is that they’ll change
their behaviors soon. I don’t want to publicly shame them by name until
I give them a bit more time to change their behaviors. Also, I don’t
want to inadvertently promote these fora either, since IMO their very
structure is flawed and community-unfriendly.

Update: Some
have claimed incorrectly
that the text in the footnote above somehow indicates my unwillingness to
follow the Chatham House Rule (CHR).
I refuted that
on identi.ca, noting that the text above doesn’t say that, and those who
think it does have simply misunderstood. My primary point (which I’ll now
state even more explicitly) is that CHR is difficult to follow,
particularly when it is mis-applied to a mailing list. CHR is designed
for meetings, which have a clear start time and a finish time. Mailing
lists aren’t meetings, so the behavior of CHR when applied to a mailing
list is often undefined.

I should furthermore note that people who have lived under CHR for a
series of meetings also have similar concerns as mine. For
example, Allison
Randal, who worked under CHR
on Project
Harmony
noted:

The group decided to adopt Chatham House Rule for our
discussions. … At first glance it seems
quite sensible: encourage open participation by being careful about what
you share publicly. But, after almost a year of working under it, I have
to say I’m not a big fan. It’s really quite awkward sometimes figuring out
what you can and can’t say publicly. I’m trying to follow it in this post,
but I’ve probably missed in spots. The simple rule is tricky to apply.

I agree with Allison.