
Interview with the Guy Who Tried to Frame Me for Heroin Possession - snowy
https://krebsonsecurity.com/2019/09/interview-with-the-guy-who-tried-to-frame-me-for-heroin-possession/
======
coldcode
It's interesting that the "hacker" himself was caught via hackery. When I
worked on anti-cheating stuff for a game company, I was able to stop the
seller of the cheat because their cheat had been stolen and resold so they had
to put anti cheating tech in their cheating tech and it opened a hole I was
able to exploit to detect them.

~~~
metalliqaz
sounds more like they had to put anti-piracy tech in their cheating tech

~~~
reificator
Imagine you're selling a tool that lets players win every game.

Then imagine someone else starts selling another tool. Anyone who buys that
other tool is now able to beat the players you promised a win to, AND they're
not giving you any money for it. This damages your reputation, which in an
underground market is probably your most valuable resource. So not only are
they not paying you, but they're robbing you of future sales by damaging your
rep.

Wouldn't you put in something to prevent users of your newest cheat from being
cheated themselves?

~~~
newnewpdro
No different from Google blocking "spam" while simultaneously targeting and
delivering ads...

------
yardie
I wonder how much of his personal information was gleaned from "respectable"
American companies like Lexis-Nexis, Equifax, and Transperian? I'm sure they
gave everything and medical history for the price of a few coins. I have no
respect for companies that don't respect my privacy. And I make it a habit of
giving them as much useless, inaccurate information as possible.

~~~
chisleu
Who do you mean by "his"?

Also, Krebs is a hell of a guy.

~~~
yardie
> Vovnenko first came onto my radar after his alter ego Fly published a blog
> entry that led with an image of my bloodied, severed head and included my
> credit report, copies of identification documents, pictures of our front
> door, information about family members, and so on.

------
mirimir
Damn. It does seem that stupid mistakes took him down. Revealing too much
about himself on his forum. I mean, if he'd been careful, compromise of that
forum would have revealed nothing about him. And for Dog's sake, using the
same password on low- and high-security accounts!

Of course, the real story could be hidden through parallel construction. But
on it's face, this does support the argument that it's stupid mistakes that
take people down. Krebs' blog is full of them.

Edit: And just to be clear, I'm not even suggesting support for that Ukrainian
dickhead. It's just that criminal takedowns are well reported, and so provide
cautionary lessons for the rest of us.

~~~
xoa
> _Damn. It does seem that stupid mistakes took him down._

One possibility on the "cautionary lessons for the rest of us" front is a
classic bit of wisdom about asymmetric adversarial situations: the other party
only needs to get lucky _once_. There is a fundamental challenge of scale and
time for any entity or individual that tries to run something dealing with
persistent antagonists over long time periods, it just plain becomes hard to
keep track of it all without further infrastructure systems in place. And its
also hard for any single human to stay in the zone persistently, we're not
really wired that way, hence the need for non-human support structures.

And that in turn is the same challenge for any business dealing with
significant organic growth, criminal or not, it's the classic "that TOTALLY
TEMPORARY one-off excel spreadsheet someone made 15 years ago now runs
hundreds of millions of dollars" issue. It's hard to know ahead what will be
important and sticky or not, even if experience helps. And it's hard to decide
how to allocate limited resources too. Infrastructure you build helps you
scale properly in the future, but it doesn't do anything for you right now,
you might not even know you could need it. And overbuilding upfront might mean
there is no tomorrow to worry about anyway.

It's a tough nut, though fortunately it's one area that is probably worse on
the black side of things since there is less room for recovery from mistakes.
Maybe it's one of the structural forces that can help encourage law abiding
behavior, legit companies can mess up badly but still potentially recover if
there is enough meat to them, whereas a total opsec break for criminals can
mean the end of the enterprise.

~~~
mirimir
Yes. And I was thinking more of activists in repressive places. Who,
notwithstanding what we might think of them, _are_ criminals in the eyes of
their governments.

------
brodsky
I'm not sure it's possible to "give" inaccurate information to Equifax.

~~~
creditReport1
I work at one of the big 3 credit bureaus so thought I’d chime in -

It is entirely possible to report inaccurate information to the bureaus.
Although more often than not it’s on accident, not malicious. Additionally
bureaus collect a lot of information from other sources. Some public some
private. It’s possible for these datasets to be error prone themselves.

There are however official procedures for disputing/correcting errors in
reporting and in my experience they do a pretty good job of validating
everything (as that’s literally the business they’re in)

~~~
yardie
Our son (10 yo) had a delinquent medical bill for reasons we don't understand.
The creditor can't tell us who sent the bill because we aren't the named party
and I'll be damned if I put him on the phone with them, because he is a minor.
So, we're at an impasse and no one can tell us anything.

Someone managed to get his name and address and did not realize he was a
minor. Brilliant system you have!

~~~
giardini
yardie says> So, we're at an impasse and no one can tell us anything.*

This is not true. And the system works fine. But you'll have to do some work
(write a few letters and maybe a bit more). Here's how:

0\. Open a chronological paper file. Copies of all correspondence with dates
clearly marked/stamped will go into this file. Put the file into a file
cabinet: put a copy of every letter, note or form, including the creditors'
initial complaint, into it in time order. Also put notes about any phone
conversations into it. Put dates on everything.

1\. Talk to your local police department and, with your son, file a report
with them if possible. They'll view it as a waste of time but it helps by
putting you on "the right side of the law." Do it just to have a police report
on file locally.

2\. Have your son write a letter to the _creditor_ (not the credit bureau)
explaining that your son is a minor, the debt is not his, he did not purchase
the item and asking them to remove the invalid entry from his credit report.
Add a page with your adult names and signatures explaining that he is your
legal son. Send those two letters along with a copy of the chronological file
to the the creditor, all via registered mail if you're paranoid.

3\. Wait. They _will_ respond. Usually they'll cave at this point. Sometimes
they'll call and ask that a police report be filed in _their_ jurisdiction
(usually by phone) or some such. Do what they ask within reason. Make sure
they (creditor, police) send you copies of everything. Follow up if they
don't.

4\. Wait. _They_ (the _creditors_ , NOT you) should, after brief
investigation, notify the credit bureau to remove the item from your son's
credit report. If they don't do so within a few months, send follow-up second
and third letters if necessary, reminding them.

5\. If you get no response from the creditor after two months, copy the
chronological file and send it via registered mail to the _credit bureau_
adding a cover letter explaining that you have exhausted the legal means of
redress with the creditors and they have refused to respond appropriately. Ask
the credit bureau to investigate the creditor's item on your son's credit
report.

This sounds like a lot of trouble but it really isn't and it would be a great
lesson for you son, since it shows how most of the world works.

Correction involves loosely-coupled organizations and persons. Nothing in this
happens at Internet speed. Each contact must have the situation explained from
the beginning. It teaches a person how to order events in time, how to narrate
a story consistently and how to be patient.

~~~
wool_gather
It's obscene that this burden falls on these folks because someone else
falsely used this kid's name. The police report should be filed against the
collection agency and the credit bureau, for fraud.[0] We may not have
debtor's prisons anymore, but we certainly have guilty-by-default for finance.

> it shows how most of the world works.

It certainly does, but not in the way you meant. :/

[0]I'm aware this is not legally possible; I mean "should" in a moral sense.

~~~
giardini
They didn't mention a collection agency, nor is one likely involved with this
case yet. Collection agencies enter the picture usually long after an incident
and much neglect by various parties.

Collection agencies are not evil. If you've ever been a landlord or had
someone fail to pay a debt, a collection agency may be a godsend b/c they buy
your debt (you get _something_ at least; they get the paper debt, valid or
not). Is that not a valid capitalistic risk-taking venture?

The credit bureau can't be charged with fraud: their data is from legitimate
businesses (creditors); any fraud would apply to the creditor.

This system has and still works well. Most everyone reading this has made good
use of our current credit system. We all understand how it works but are
impatient with the slowness of the system. But it is a mistake to confuse
slowness with malintent.

------
darkwater
Ouch, Poggioreale is not a nice place to be in.

~~~
cpach
Why?

~~~
darkwater
Beside living side by side with people from the camorra ("camorristi"). This
is a letter to an italian newspaper about living in Poggioreale (in italian)
[https://www.corriere.it/cronache/13_luglio_28/detenuto-
poggi...](https://www.corriere.it/cronache/13_luglio_28/detenuto-poggioreale-
lettera-sulle-carceri_735836e4-f760-11e2-a852-8fa32bcbd2fe.shtml)

------
sedachv
Here is a link to the original interview, since neither Krebs nor the people
that made the translation seem to believe in citing their sources:

[https://krober.biz/?p=3200#more-3200](https://krober.biz/?p=3200#more-3200)

~~~
JetSpiegel
[https://krebsonsecurity.com/wp-
content/uploads/2019/09/Inter...](https://krebsonsecurity.com/wp-
content/uploads/2019/09/Interview-with-Mukha-aka-Fly-1.pdf)

Here's the translated PDF. Either the original Russian was hacked up already,
or this translation is very iffy.

~~~
kspacewalk2
The original is full of barely comprehensible jargon, obscure code-speak,
intentional spelling mistakes, etc.

------
celim307
So this guy picked OP completely at random? I wonder why he was initially
targeted

~~~
yellowarchangel
The most important and missing information at the start of the article is
_why_ the OP had their information posted on the forum, why they were getting
sent this package.

~~~
dotancohen
OP is a very well known security researcher. Here is his self-bio:

[https://krebsonsecurity.com/about/](https://krebsonsecurity.com/about/)

