
Stalking a person with only their email & IP address - hartleybrody
http://www.attackvector.org/invasion-of-privacy/
======
jacquesm
Whoever wrote this is a complete idiot and doesn't know the first thing about
computer forensics.

Check out this gem:

"I use spammers and pedophiles as test subjects when I’m working on something.
This is mostly because it’s unlikely that they would go to the authorities and
point the finger at me, knowing that I could easily turn around and say
something to the effect of, “Well, yes I did pwn his box.. but you should have
seen all the child porn I found on it.” owned x 2."

Well, owned x 3 because the first thing that this would do is backfire, after
all if you admitted to hacking someone's box they could make a fair claim to
you having put that data there.

The last thing you do when you go after a pedophile is to hack their computer,
any evidence found there is tainted, and you are now a suspect with a
confession on record.

There are several other laws this guy broke in his vigilante action against
this spammer, he's set himself up quite nicely for a lawsuit, after all he's
handed the prosecution all the documentation they could possibly wish for.

~~~
pessimizer
It is moronic that he thinks that informing cops about child porn on a
computer he hacked would get him out of trouble, or get the pedophile in
trouble - but the odds that a pedophile is going to call the police and
complain about being hacked seem to be to be about where he puts them. He's
not talking about "going after" the pedophile, he's talking about hacking the
pedophile to have somebody to hack.

Out of curiosity, what possible laws did he break by going through a few
public databases, facebook, whois data and google, and what does it have to do
with computer forensics? I did this same type of thing to go after a 4chan-
type troll who was attacking my blog a few years ago. and it was a joy to
really effectively stop somebody who thought they were anonymous on the
internet.

~~~
jacquesm
He should have left the guys wife out of it for one, he also should not admit
in public to hacking computers. Regardless of who owns them that's breaking
the law.

~~~
pessimizer
He definitely shouldn't have mentioned the guy's wife and kids, but it's
certainly not against the law. It's definitely not bright to admit in public
to hacking computers in the same way it's not bright to admit in public to
doing drugs, but it isn't actually against any law but the law of prudence and
good sense.

~~~
jacquesm
Before you ever decide to hack someone's computer I suggest you consult a
lawyer.

~~~
ez77
I think I missed something. How did he hack the other guy's computer? He based
his analysis on email headers received in his own computer, and used Google,
whois, fb, etc. after that. Right?

~~~
jacquesm
He didn't hack this guys computer but he pretty much documents for the world
to see that he's hacked other computers.

There's stupid and then there is this article.

------
corin_
This guy is clearly a complete moron, but the thing that annoyed me the most
was not the fact that he seems to think he's a genius for being able to use
Google, it's his total misuse of the phrase "work cut out for".

 _Also, consider what you’re sending in this email. What if this guy had sent
me an email trying to extort me, threaten me, whatever? I could turn this over
to the authorities and they’d have their work cut out for them._

~~~
zacharytamas
I noticed that as well. I had to re-read it a few times before I believed it.

------
waffle_ss
This is Dumb catching Dumber. Only the bottom of the barrel spammers in the
year 2010 would use their real non-proxied IP address and a non-private WHOIS
record. I would also point out that GeoIP does not point out the address of
the person using an IP address, just their ISP (or whoever owns the ARIN
block).

~~~
dredmorbius
Rule #3: Spammers are stupid.

<http://bruce.pennypacker.org/2005/02/28/the-rules-of-spam/>

The barrel is immense, and even the bottom is quite large.

------
jiggy2011
I stopped reading when I read:

 _Just put the IP address in the box and hit “search”. Here’s what we find.

    
    
        Region: Washington
        City: Spokane
        Postal code: 99205 
    

So, we’re narrowing it down.. we now know that it’s Spokane, Washington._

Erm, no you don't know that he lives there, it just means that the IP address
he happens to hit the internet with belongs at that address. If I geoIP myself
it comes up about 300+ miles from where i live , I geoIPd some of the public
wifi connections I used and it's not even the same country that I am in.

I blame google analytics for this, I often hear people say stuff like "hmm ,
all our visitors seem to come from London, let's optimise our site for people
in London".

------
codezero
It's also possible that the spam email came from a computer infected with
malware, making the target of this "attack" an innocent bystander.

Whether this was the case, in this instance, is insignificant, it's just one
of those things that the author didn't think of, it shows the author did not
think very deeply about the situation, and simply wanted to flex his technical
jock.

~~~
ricardobeat
_The email was coming from his email address, using his business’s name, and
advertising his business_

------
fleitz
The realities of life are that at some point you're going to have to give out
your personal information. From a fragment of that it's pretty easy to
reconstruct the rest.

The only thing the internet really changes is using a browser vs. going down
to the courthouse.

Finding a name, address and phone number are not really a big deal. Life is
far better knowing lots of people than it is knowing a few people. My time is
worth far more than anything I could hope to gain from tracking down someone
who sends me email I don't want. I'd much rather just click the Spam button
and get on interacting with the wonderful people in my life.

"OMG, someone on _the internet_ found my name, address, and phone number. I
don't know how I could go on living my life dealing with _phone calls_ and
_mail_ , my life has been completely destroyed!"

If this person could put my name, phone number and address infront of every
person on the planet I'd gladly pay for that service, it would be extremely
valuable having 7 billion people know how to reach me.

------
larrys
Whois info can and does easily get falsified. So the basis of his entire
research which was built on checking whois is incorrect. In other words there
is nothing preventing anyone from registering a domain name using someone
elses contact info. Which is actually done quite frequently by web designers
as only one example on behalf of their customers for legitimate reasons.

Separately, this is also incorrect:

"and it’s the administrative contact, which means he owns the domain"

The "registrant" actually owns the domain. Not the admin contact. Of course
the admin contact can own the domain. And all the info can be false anyway as
mentioned.

For example in the case of the domain "ycombinator.com" the admin contact is
"Kirsty Nathoo" who, according to linkedin, is the "VP Finance and Operations
at Y Combinator". The registrant is Ycombinator LLC and of course that makes
sense that they are the owner.

Geo locating ip addresses also produces far from gold standard results.

------
bdonlan
Hm. He keeps [redacting] Nancy's name, but leaves it in all the screenshots.
Sloppy work, there.

~~~
corin_
_UPDATE (1/12/2011): I received an email from Steve regarding this post. He
sincerely apologized for his actions and realized now that what he did was
wrong and simply asked that I modify the post to protect the identities of his
family. I felt that this was a fair request, considering that his family had
nothing to do with what Steve did and it doesn’t jeopardize the impact of the
article. So, if you’re wondering why you’re seeing all the “[withheld]“‘s,
that’s why!

PS – Yes, I realize the names are still shown in the images, but they’re not
indexed by Google_

~~~
burgerbrain
_"but they’re not indexed by Google"_

...yet.

------
runjake
I do this sort of stuff on a near-daily basis. All the tools he refers to are
quite common.

The only things I'd add is that if you're a state of Washington resident, your
personal details are particularly open to the Internet. They seem to have
every little government database open for use. I always breathe a sigh of
relief when whoever I have to track down lives or has lived in WA.

In numerous other cases, I've had to track down people merely with a street
address, and getting a full dossier on those people is equally easy.

If I were to use illegal techniques, it would be orders of magnitude scarier.

I track down criminals or long lost loved ones normally, but how do you combat
being found? Dis-information. I could go on about this, if people were
interested.

Summary: keep your personal life off the Internet.

------
ricardobeat
_whois ricardo.cc_

ring me up :)

I'm not worried about my address, phone, name or email. You can get those from
the doormen, co-workers, friends, google and hundreds of documents scattered
around the world (bills, contracts, registers, etc).

The best you can and should do is protect your personal life. I recently
switched my FB account to "friends only" - that should be the default for
everybody.

~~~
dredmorbius
You realize of course that your friends include any attorney with a subpoena,
the worlds' intelligence agencies (who's to say there isn't Intelligence life
in space), and all the criminal hackers on the planet.

Sleep tight.

~~~
ricardobeat
I do. I don't carry any secrets though (and for sure wouldn't share them on
Facebook), and am more afraid of being ran over by a bus. Otherwise I would
just get off the internet.

------
jiggy2011
On a somewhat related note , this talk from defcon:

<http://www.youtube.com/watch?v=fEmO7wQKCMw>

Is actually pretty cool, albeit a little far fetched in parts.

------
jphackworth
It seems inevitable that all public information about people will become
organized, and you just won't be able to keep secrets like this any more.
Better than it be available to everyone than only to sneaky governmental
agencies.

~~~
SurenTer
Just 2 cents- Bankruptcy details are from PACER (pcl.uscourts.gov). The rest
is obvious, of course.

