
How the law is tracking down high-tech prank callers - nols
https://www.theguardian.com/technology/2016/apr/15/swatting-law-teens-anonymous-prank-call-police
======
patcheudor
"As Finley demonstrated, it’s not impossible to hunt down suspects who use
these technologies – it’s just extremely time-consuming and resource-
intensive."

Here's the big problem. It can be impossible. If the swatter exercises extreme
caution, never registers any device or service in their name, never uses their
public IP address for so much as a Google search on "how to swat" and doesn't
brag about it online, it is in fact impossible to trace. This makes it tough
going into an investigation because you don't know if it's some stupid kid or
someone who knows a thing or two about how to remain truly anonymous online.
To this point, you'll note there's a common thread in all the stories of this
type. It's some stupid kid who gets caught and I highly doubt that's because
only kids are swatting. It's because they are catching the dumb ones.

~~~
cmdrfred
I agree, I think most people who comment here are at a level that they could
pull it off without getting caught if their life depended on it. Be your
method burner phone, bitcoin with a little voip and tor, or something else
it's relatively easy to be anonymous enough over the phone to not be worth the
effort.

~~~
pakled_engineer
It's no fun if you swat somebody and don't brag about it afterwards on
Twitter/IRC/whatever which will lead authorities straight to them like it has
most other criminals.

~~~
patcheudor
Which gets me to an interesting theory of how the cyber security field really
resembles an ecosystem not unlike what is found in nature. For the most part,
a lot of what we call the bad guys are just dumb people who get caught, as you
said because they likely can't help themselves from bragging about it. They
pulled of a "goof" and think it's funny, many times likely not even
considering the criminal nature of the act. All of these people who pull of
these exploits (swatting is just an exploit that involves the unauthorized use
of law enforcement instead of a kernel) and do so in a rather large and
obvious way illicit immune responses. Many hundreds of responses with no one
event causing significant harm to the total ecosystem. It's our jobs in the
cyber security community to react to these and develop ways to stop them
before the inevitable "big one happens," in this case the mass swatter who
remains anonymous because they are disciplined, but who also has at their
disposal a rudimentary AI system connected to an Asterisk IVR server that can
make large volumes of automated swatting calls, causing the US emergency
response system to grind to a halt.

This is where there is a very fine line between tackling exploitation via the
implementation of technical controls and legal controls. Because the Internet
is global, I'm of the mind-set that controlling it via legislative controls
has long since past, therefore we'd better be looking for technical solutions
before someone exploits the system en masse to cripple a nation.

------
smoyer
I suspect we'll be seeing a lot of articles that end with some form of "let's
make the Internet safer by giving up our privacy and right to anonymity" while
the government is trying to pass the anti-encryption bill. Unfortunately, this
police officer spent a ridiculous amount of time tracking down someone with no
real op-sec skills simply because he wasn't trained to track someone on the
web.

Note that I agree we need to treat swatting as a serious and potentially
dangerous crime ... But what do we do when all the perps are juveniles?

~~~
jamesbowman
Yes, that is the Guardian's current project.

[http://www.spiked-online.com/newsite/article/why-has-the-
gua...](http://www.spiked-online.com/newsite/article/why-has-the-guardian-
declared-war-on-internet-freedom/18247)

~~~
walshemj
Its telling that the Guardian turn off comments on any of the hacked of
stories or stories relating to bad behaviour by the press.

Afraid you will get called out by your readers for dounle standards maybe

~~~
jgome
the same "the Guardian" that called their audience "russian trolls"...

------
csense
The question is why it's necessary to have highly militarized police who
respond with overwhelming force at the drop of a hat. Oh wait, that's right,
the War on Drugs.

~~~
jessaustin
It was fortunate that in this case the target was "a sprawling house in the
affluent Atlanta suburb of Johns Creek". Police knock on that house's front
door. In other neighborhoods, they simultaneously demolish all doors just
before assaulting all the occupants.

Just mentioning this in case anyone had forgotten the _purpose_ of the War on
Drugs.

------
matt_wulfeck
It seems to me that a few simple pieces of information can greatly help police
departments know if it's a malicious hoax:

1\. Is the call coming from a voip service?

2\. Can the residence be reached via their normal phone line?

A small amount of caution should be used before local (and often times
militarized) police forces go busting down doors.

~~~
spdustin
My normal home phone line _is_ VoIP. What then?

~~~
Splines
I think the fact that a call is coming from a voip service is not necessarily
the problem, the problem is that a voip number can be made extremely easily.

Some sort of "non-anonymous" score can be assigned a voip number. Paying via a
credit card or cheque can attach an address to the voip number. Does this
address match the reported home of the caller? Does the IP originate from the
same area as the caller? Has this voip number been used by the same account
for several years?

~~~
nemothekid
> _Some sort of "non-anonymous" score can be assigned a voip number. Paying
> via a credit card or cheque can attach an address to the voip number. Does
> this address match the reported home of the caller? Does the IP originate
> from the same area as the caller? Has this voip number been used by the same
> account for several years?_

So what you are saying is, before responding to a potentially life threatening
emergency call, the police should first obtain a subpoena for the relevant
data of the VoIP operator? Or are you saying the police should have unfettered
access to payment methods, address and names of everyone who registers a VoIP
number?

~~~
ikeboy
Voip numbers that have emergency dialing access should be required to get that
information. In fact, they are, so you'll note the article mentions a loophole
of calling a non emergency number, then asking to be transferred to emergency
services.

I don't know how harmful closing that loophole would be for legitimate calls.
Can police track how many legit calls were transferred from non-emergency
calls, and came from numbers without emergency calling capabilities? Knowing
whether that number is negligible or not is important.

~~~
pyre
> you'll note the article mentions a loophole of calling a non emergency
> number, then asking to be transferred to emergency services.

The "loophole" is to get to the emergency services for the area they are
targeting. You can't dial 911 in British Columbia and get emergency services
in Georgia.

~~~
ikeboy
Yup. It's not clear from there whether they'd be able to call emergency
services somewhere else, but it's implied not (they mention getting a local
number to call from).

Even if they could, you could still check whether their phone can call your
emergency services directly.

~~~
therein
Yes but can't the caller ID be spoofed? At that point, you'll be relying on a
system to give you a "sugar score" for a call since you are providing
emergency services. But I do agree that a low sugar score combined with a
particular type of request should raise some flags.

------
ikeboy
>Complex anonymity tools mean it can cost $100,000 to identify just one hoax
caller.

>Finley estimates he spent more than a thousand hours tracking down those two
teenagers, neither of whom will spend much time behind bars, yet this is a
crime that can cost police departments as much as $100,000 per incident and
could result in fatalities.

The number seems to have been pulled from this sentence, but it refers to the
damage caused by the crime, not the cost to investigate. (This seems more
plausible than thinking the number came from the thousand hours quote.)

So it appears whoever wrote the sub headline didn't actually read the article.

Edit: also re costs in crime to allowing anonymity:

The stated argument for allowing anonymity doesn't extend to anonymous calling
of emergency services. The article points out that such swatters already need
to use the loophole of calling a regular number and getting routed to
emergency; why not display to that operator whether the call is anonymous, and
if so don't let them route it to emergency services? Are there a significant
number of legitimate anonymous calls forwarded this way?

------
metanoetic
>Finley used an email address associated with one Skype account to uncover a
personal website for the second swatter, whose online handle was Obnoxious.
Using that email, he found a page on the text-sharing website Pastebin where
one of Obnoxious’s enemies had revealed his name and address.

$100,000 OSINT... the police did no 'heavy lifting' in this case

------
fiatmoney
The police are the ones deciding how to respond to these (completely
unbelievable) calls, and making them face consequences for their actions would
be more effective than going on elaborate after-the-fact hunts for the guy
that "tricked" them.

------
abritishguy
With great difficulty it seems.

------
JulianMorrison
The police should take a leaf from Corporal Carrot's book, "[...] a number of
offences of murder by means of a blunt instrument, to whit, a dragon, and many
further offences of generalized abetting [...]" and prosecute these non-pranks
as "assault with a deadly weapon".

------
st3v3r
STOP REFERRING TO SWATTING AS A PRANK. IT IS NOWHERE NEAR A PRANK.

~~~
omginternets
Your capslock key is broken.

Also, it clearly _is_ a prank. A dangerous and reckless one, but the idea is
still to have a giggle at someone's expense.

I don't see how mischaracterizing the intent of this act will help us fight
it.

~~~
DanBC
The intent is to cause fear, alarm, and distress.

That's not pranking someone.

~~~
omginternets
>That's not pranking someone.

How so?

If the people on doling out the calls are laughing at other people's expense,
then it certainly is a prank. It's just a tasteless and dangerous one.

~~~
maxerickson
Prank carries a connotation that the act should not expose the target to
actual danger.

So swatting is arguably a prank (in the sense you write about) but people
don't like the label because it is dismissive of the danger created by the
swatting.

~~~
omginternets
>Prank carries a connotation that the act should not expose the target to
actual danger.

Says who?

Examples of irresponsible and dangerous pranks abound.

More to the point, the intent is _still_ to have a laugh at someone's expense
which fits the dictionary definition of "prank" quite well: a practical joke
or mischievous act.

In anticipation of the nitpicking over the term "mischief", I submit the
google definition thereof: harm or trouble caused by someone or something.

Sorry, but the fact that calling this a prank should get people so upset is
really, really bizarre.

~~~
maxerickson
I'm not upset about it and I'm not arguing with you. I simply answered your
question.

I'm the one saying it carries that connotation for the reason I followed up
with. Feel free to think I'm wrong.

