Hacker News new | past | comments | ask | show | jobs | submit login
Interview with the Guy Who Tried to Frame Me for Heroin Possession (krebsonsecurity.com)
374 points by snowy 20 days ago | hide | past | web | favorite | 87 comments



It's interesting that the "hacker" himself was caught via hackery. When I worked on anti-cheating stuff for a game company, I was able to stop the seller of the cheat because their cheat had been stolen and resold so they had to put anti cheating tech in their cheating tech and it opened a hole I was able to exploit to detect them.


Would you consider writing this up? Sounds fascinating.


sounds more like they had to put anti-piracy tech in their cheating tech


Imagine you're selling a tool that lets players win every game.

Then imagine someone else starts selling another tool. Anyone who buys that other tool is now able to beat the players you promised a win to, AND they're not giving you any money for it. This damages your reputation, which in an underground market is probably your most valuable resource. So not only are they not paying you, but they're robbing you of future sales by damaging your rep.

Wouldn't you put in something to prevent users of your newest cheat from being cheated themselves?


No different from Google blocking "spam" while simultaneously targeting and delivering ads...


Live by the sword, die by the sword. I low how they cheat steal and are upset when other people cheat and steal.


Suggests something about honour among thieves.


I wonder how much of his personal information was gleaned from "respectable" American companies like Lexis-Nexis, Equifax, and Transperian? I'm sure they gave everything and medical history for the price of a few coins. I have no respect for companies that don't respect my privacy. And I make it a habit of giving them as much useless, inaccurate information as possible.


> And I make it a habit of giving them as much useless, inaccurate information as possible.

How do you do this? (Specifically, with the companies you mentioned.)


I would like to know this as well.


Easy, you just lie when people ask. Apply for store loyalty cards and similar with fake information to get that associated with your data broker profiles.

You could also open phone lines with fake information, ISP accounts and so on.

A good investigator with expensive access will still be able to track you down, but automatically exploiting your data will be much more difficult if it's a mess.


We're not talking about just any data brokers though, the parent comment mentioned credit bureaus specifically.

I'm not a lawyer, but if you're applying for a line of credit with false information, I'm pretty sure that's a crime.

If you're not applying for a line of credit, I don't think credit bureaus such as Equifax or "Transperian" (which I assume is a portmanteau of TransUnion and Experian) will base anything on that data, since it's so obviously easy to manipulate.


>I'm not a lawyer, but if you're applying for a line of credit with false information, I'm pretty sure that's a crime.

I'm definitely not a lawyer, but unless your intent is to defraud I wouldn't be so sure about that. I also don't see how you'd ever end up getting prosecuted for this unless you really piss someone off, in which case I guess you could get prosecuted for just about anything.

In any case, whether or not this is legal seems utterly irrelevant.

>If you're not applying for a line of credit, I don't think credit bureaus such as Equifax or "Transperian" (which I assume is a portmanteau of TransUnion and Experian) will base anything on that data, since it's so obviously easy to manipulate.

You would be wrong. That'd be an awful way to maintain up-to-date address data on people.

Besides, the first company named was "Lexis-Nexis".


> > If you're not applying for a line of credit, I don't think credit bureaus such as Equifax or "Transperian" (which I assume is a portmanteau of TransUnion and Experian) will base anything on that data, since it's so obviously easy to manipulate.

> You would be wrong. That'd be an awful way to maintain up-to-date address data on people.

Okay, could you cite this, please? I've been very clear that I'm just speculating, but if you're so sure maybe you have some insider information I don't?

My credit reports don't have my up-to-date address, so whatever they are doing is an awful way to maintain an up-to-date address.


>Okay, could you cite this, please? I've been very clear that I'm just speculating, but if you're so sure maybe you have some insider information I don't?

I don't know of public sources to cite, but I've seen the data. If there exists good public material about how these companies source their data, I haven't seen it.

These companies will accept data from essentially anywhere they can get it, not all of that will affect your credit score but it'll certainly affect your person profile. Name(s!),addresses,ssn(s!),dob(s!) and whatnot associated with an individual "person" id.

FWIW, the credit bureaus are not just credit bureaus:

https://www.tlo.com/law-enforcement

https://www.experian.com/consumer-information/right-party-co...

https://www.equifax.com/business/firstsearch/


> I don't know of public sources to cite, but I've seen the data. If there exists good public material about how these companies source their data, I haven't seen it.

So, it sounds like you're speculating.

> These companies will accept data from essentially anywhere they can get it, not all of that will affect your credit score but it'll certainly affect your person profile. Name(s!),addresses,ssn(s!),dob(s!) and whatnot associated with an individual "person" id.

Look, I'm sure you're right, they do collect all the data they can. However, there are two caveats:

1. Implicitly or explicitly, they're also assigning confidence values to the accuracy of that data. They know that data you're legally obligated to be truthful about is more accurate than data you aren't. So if you're lying to them on store loyalty cards where no credit is being issued, that data gets prioritized somewhere between "useful for printing out and using as toilet paper" and "actual toilet paper". Data from your actual lines of credit is worth more and they know it.

2. While the credit bureaus have incentives to take whatever info they can get, loyalty card issuers don't necessarily have incentives to give them that info. I have a discount card for a local grocery chain. They could give my data to a credit bureau, but then the other two local grocery chains would be able to buy that data. That's their competitive advantage, gone. Why would they do that? I guess there's some value in protecting your data from a local grocery chain, but it's unlikely that fake data gets back to the credit bureaus anyway.

What I'm saying is that I don't think the steps you are taking are an effective means of protecting your data.


>So, it sounds like you're speculating.

So, it sounds like you’re calling me a liar.


“Honestly your honor, I wasn’t going to use the loan I applied for with false information, I was just trying to briefly confuse hackers and advertisers!”

But I really don’t know, because I’m also not a lawyer and therefore do not give people legal advice on the internet.


The idea is that you'd use the loan, and pay it just like you normally would. But instead of giving the lender your actual address you give them some other address, essentially indistinguishable from a regular data entry error.

I can't see anyone getting in trouble for this unless they're creating fake credit profiles or not paying their debts, the credit bureau dbs are chock-full of garbage data from garbage sources.

How would you even get caught in the first place?


I mean, go for it, but you’re still talking about falsifying loan documents. That’s gotta be a good way to gin up trouble, even if it doesn’t come to prosecution.

I just can’t see a scenario where some info is fake and other info is real (necessary bc you’re using and paying the loan) that’s both kosher with the bank and gives you the obscurity you’re looking for. Is this something you can actually speak to from experience, or are we both spitballing? Because I’m happy to be wrong, but if we’re both making this up as we go then the conversation is pretty pointless.


>That’s gotta be a good way to gin up trouble, even if it doesn’t come to prosecution.

But how? Realistically the worst case scenario here is that you get denied the loan because the computer says no, after the initial application nobody cares unless you owe an outrageous amount and stop paying.

>Is this something you can actually speak to from experience, or are we both spitballing?

Yeah, when companies or governments ask me for my "home address" I definitely don't tell them where I live. I also go out of my way to corrupt my name whenever possible. Phone numbers? Usually just random numbers unless I know for sure I'm going to get a call I need to answer.

And yes, I have credit cards.


Corrupting your name in particular is good policy. Hell, if you do it differently in different places and keep track that gives you an idea of who’s selling your data to who. Still not with you on lying on credit applications, but mazel tov if it’s been working for you.


Your advice here is very dangerous and people would be breaking numerous laws if they followed it.


Do you happen to know which laws those would be?

The advice provided by GP seems to be "Apply for store loyalty cards and similar with fake information[...]. You could also open phone lines with fake information, ISP accounts and so on."



Well, that article doesn't seem to contain anything useful.

>Identity fraud is the use by one person of another person's personal information, without authorization, to commit a crime or to deceive or defraud that other person or a third person

That does not even sound similar to what is being discussed here.

It'd be useful if you could name at least some of the numerous laws that the discussed behaviour might violate.


Since I seem to be your personal Google bot today, here's another result: https://ec.europa.eu/home-affairs/sites/homeaffairs/files/e-...

Please rate my work on a scale 1-5


Look, you made a really broad claim and I'm curious. Your original comment read like like a confident statement of fact, but you can't seem to be able to point out a single relevant law anywhere in the world.

This is a huge document that doesn't really seem to contain anything relevant to what we're discussing here.

The euro laws I was able to check seem to have clear caveats like the british fraud act "intends, by making the representation— (i)to make a gain for himself or another, or (ii)to cause loss to another or to expose another to a risk of loss."

I really don't see the usual definitions of fraud applying here so I'm very curious as to which legislation actually might.


I'm pretty sure this would qualify as fraud in most jurisdictions.


Why? You aren't deceiving anyone for a benefit, nor are you causing any injury.


Dig up the personal information of their owners, board members, and major shareholders, and publish or sell it - an eye for an eye.


Well, they were specifically posting a branded Accurint report for Krebs in the lampeduza (IIRC) thread.


Those vendors' reports cost $10-$20 and contain no medical records.


I'm currently working on a batch of information requests about myself to different data brokers and alternative credit reporting firms. I send a copy of my drivers license and a recent utility bill and they send me my records for free. It's shocking what I found the last time I did this.


Who do you mean by "his"?

Also, Krebs is a hell of a guy.


> Vovnenko first came onto my radar after his alter ego Fly published a blog entry that led with an image of my bloodied, severed head and included my credit report, copies of identification documents, pictures of our front door, information about family members, and so on.


[flagged]


A statement devoid of context intended for shock value is better off not said.


What shock-value do you speak of? Cursory Googling[0][1] reveals that Mr. Krebs is quite possibly not above reproach.

Is there something else that needs to be said about the situation?

[0] - https://hacked.wtf/2019/04/26/dear-brian-krebs-no-more-doxxi...

[1] - https://www.itwire.com/security/86867-infosec-researchers-sl...


This is a bad hill to die on. There are two sides to that story.


Damn. It does seem that stupid mistakes took him down. Revealing too much about himself on his forum. I mean, if he'd been careful, compromise of that forum would have revealed nothing about him. And for Dog's sake, using the same password on low- and high-security accounts!

Of course, the real story could be hidden through parallel construction. But on it's face, this does support the argument that it's stupid mistakes that take people down. Krebs' blog is full of them.

Edit: And just to be clear, I'm not even suggesting support for that Ukrainian dickhead. It's just that criminal takedowns are well reported, and so provide cautionary lessons for the rest of us.


>Damn. It does seem that stupid mistakes took him down.

One possibility on the "cautionary lessons for the rest of us" front is a classic bit of wisdom about asymmetric adversarial situations: the other party only needs to get lucky once. There is a fundamental challenge of scale and time for any entity or individual that tries to run something dealing with persistent antagonists over long time periods, it just plain becomes hard to keep track of it all without further infrastructure systems in place. And its also hard for any single human to stay in the zone persistently, we're not really wired that way, hence the need for non-human support structures.

And that in turn is the same challenge for any business dealing with significant organic growth, criminal or not, it's the classic "that TOTALLY TEMPORARY one-off excel spreadsheet someone made 15 years ago now runs hundreds of millions of dollars" issue. It's hard to know ahead what will be important and sticky or not, even if experience helps. And it's hard to decide how to allocate limited resources too. Infrastructure you build helps you scale properly in the future, but it doesn't do anything for you right now, you might not even know you could need it. And overbuilding upfront might mean there is no tomorrow to worry about anyway.

It's a tough nut, though fortunately it's one area that is probably worse on the black side of things since there is less room for recovery from mistakes. Maybe it's one of the structural forces that can help encourage law abiding behavior, legit companies can mess up badly but still potentially recover if there is enough meat to them, whereas a total opsec break for criminals can mean the end of the enterprise.


Yes. And I was thinking more of activists in repressive places. Who, notwithstanding what we might think of them, are criminals in the eyes of their governments.


I'm not sure it's possible to "give" inaccurate information to Equifax.


I work at one of the big 3 credit bureaus so thought I’d chime in -

It is entirely possible to report inaccurate information to the bureaus. Although more often than not it’s on accident, not malicious. Additionally bureaus collect a lot of information from other sources. Some public some private. It’s possible for these datasets to be error prone themselves.

There are however official procedures for disputing/correcting errors in reporting and in my experience they do a pretty good job of validating everything (as that’s literally the business they’re in)


Our son (10 yo) had a delinquent medical bill for reasons we don't understand. The creditor can't tell us who sent the bill because we aren't the named party and I'll be damned if I put him on the phone with them, because he is a minor. So, we're at an impasse and no one can tell us anything.

Someone managed to get his name and address and did not realize he was a minor. Brilliant system you have!


https://www.kalzumeus.com/2017/09/09/identity-theft-credit-r... is a comprehensive guide to dealing with debts that you don't owe.


hire a lawyer and write a letter. You're not at an impasse. You can have this cleared, if they don't have evidence and you write a letter, they have to shut it down.


No letter, just ask for Proof of Debt... most of these companies can't even validate how much you owe...


Exactly, the Fair Credit Reporting Act (FCRA) says you have a right to ask a company that claims you owe it money to prove it.


I'll do no such thing. Someone else made a mistake and therefore I have to pay a lawyer to fix it? It's not a legitimate debt, but it goes to show how anyone can put anything in anyone's file and these information brokers will suck it up and pass it around without even the most basic sanity checks. The FCRA was a good start but an American GDPR would be better.


You shouldn't need a lawyer, but it may require a couple hours of time (but not all at once).

The next time they call, tell them that the person they are looking for is a minor and you are their guardian and because of that you are required to speak on their behalf.

Immediately inform them that all further communication must be done in writing and that you are requesting that they validate the debt in writing. They are required by law to communicate in writing if you request it and to also validate the debt.

If the next letter from them is not a debt validation, you should send them a simple cease and desist response stating they have not validated the debt and may no longer contact you. Send it certified, return receipt requested. Keep a copy for yourself.

If it doesn't stop at that point, you will need a lawyer, but it will most likely be at no cost to you:

If they send you another letter or call you again attempting to collect, get their information and if you are inclined, contact a debt collection attorney. You would be able to sue them for up to $1,000 per incursion plus the fees from your lawyer. Provided you collected their information and have your initial letter, it should require very little time from you to go through the legal process.


+1 to this -- and I'll add that you can find decent sample legally-phrased "f••• off, idiots" letters on the web (they should cite a specific U.S. law that establishes the two requirements mentioned: communication in writing, and verification of the debt on demand -- I can't recall the law's citation number off the top of my head).


Are you sure you want to risk long-term credit problems because you refuse to interact with a debt collector? I don't think that's wise.


If they're not on the debt, hence why the collector won't talk to the adults, and the debt is in the name of a 10yro, won't that disappear by the time the kid's 18 and not show up on the parents' record?


Good debts stop showing after ten years. Ask me how I know. Do bad debts?


I'm not aware of any debt erasure that occurs when you're 18.


He's got 8 years to go until 18; doesn't unpaid debt fall off your credit report by then?


it's complicated. also, even for a minor I'd work to eliminate invalid debt rather than wait out the statue of limitations.


I meant I thought debt falls off your report after so many years.


Asking for proof of debt doesn't require a lawyer and almost always results in them going away.


You have avenues open to you. Is it fair? No, but since when is life always fair? Don't cut off your nose to spite your face.


opting out of the entire credit system isn't really cutting off your nose. it is quite nice.


I don't believe that to be true but, in this case, it's a parent opting their ten year old out of it. The point is that this can be resolved to their benefit. Instead, they would rather scream about it being unfair. No one cares; the only people who get hurt will be them.


How did an 11 year old kid get "opted in" to the system in the first place?

And resolving an unfair situation by working within the absurd system without screaming about it just means that people will continue to be hurt by it.


Mistakes happen, but I obviously have no idea. You have to chose your battles. If you want to fight the credit bureaus then go for it, more power to you. Most of us, myself included, don't have the time, energy, or desire. I'd rather just take care of it and spend my time on more important matters.


Is it really to their benefit of they loose money unrelated to the supposed debt doing it?


Yes, because it's better than the alternative (ruining the credit rating of your ten year old, something they'll have to fix 8+ years from now). A perfect solution doesn't always exist.

In this case it's very unlikely they would need to hire a lawyer anyway.


I thought debt falls off your report after so long?

A perfect or at least more ideal solution would be a response asking for age verification and not ignoring the parents because it's not their name.


You're correct; it drops off your credit report after 7 years, but the debt itself doesn't go away.

The solution here is to do what one of the posters above me said to do. Dispute the claim, inform the collector that they are going after a minor, demand all further communications be made via mail.


yardie says> So, we're at an impasse and no one can tell us anything.*

This is not true. And the system works fine. But you'll have to do some work (write a few letters and maybe a bit more). Here's how:

0. Open a chronological paper file. Copies of all correspondence with dates clearly marked/stamped will go into this file. Put the file into a file cabinet: put a copy of every letter, note or form, including the creditors' initial complaint, into it in time order. Also put notes about any phone conversations into it. Put dates on everything.

1. Talk to your local police department and, with your son, file a report with them if possible. They'll view it as a waste of time but it helps by putting you on "the right side of the law." Do it just to have a police report on file locally.

2. Have your son write a letter to the creditor (not the credit bureau) explaining that your son is a minor, the debt is not his, he did not purchase the item and asking them to remove the invalid entry from his credit report. Add a page with your adult names and signatures explaining that he is your legal son. Send those two letters along with a copy of the chronological file to the the creditor, all via registered mail if you're paranoid.

3. Wait. They _will_ respond. Usually they'll cave at this point. Sometimes they'll call and ask that a police report be filed in _their_ jurisdiction (usually by phone) or some such. Do what they ask within reason. Make sure they (creditor, police) send you copies of everything. Follow up if they don't.

4. Wait. _They_ (the creditors, NOT you) should, after brief investigation, notify the credit bureau to remove the item from your son's credit report. If they don't do so within a few months, send follow-up second and third letters if necessary, reminding them.

5. If you get no response from the creditor after two months, copy the chronological file and send it via registered mail to the credit bureau adding a cover letter explaining that you have exhausted the legal means of redress with the creditors and they have refused to respond appropriately. Ask the credit bureau to investigate the creditor's item on your son's credit report.

This sounds like a lot of trouble but it really isn't and it would be a great lesson for you son, since it shows how most of the world works.

Correction involves loosely-coupled organizations and persons. Nothing in this happens at Internet speed. Each contact must have the situation explained from the beginning. It teaches a person how to order events in time, how to narrate a story consistently and how to be patient.


It's obscene that this burden falls on these folks because someone else falsely used this kid's name. The police report should be filed against the collection agency and the credit bureau, for fraud.[0] We may not have debtor's prisons anymore, but we certainly have guilty-by-default for finance.

> it shows how most of the world works.

It certainly does, but not in the way you meant. :/

[0]I'm aware this is not legally possible; I mean "should" in a moral sense.


They didn't mention a collection agency, nor is one likely involved with this case yet. Collection agencies enter the picture usually long after an incident and much neglect by various parties.

Collection agencies are not evil. If you've ever been a landlord or had someone fail to pay a debt, a collection agency may be a godsend b/c they buy your debt (you get something at least; they get the paper debt, valid or not). Is that not a valid capitalistic risk-taking venture?

The credit bureau can't be charged with fraud: their data is from legitimate businesses (creditors); any fraud would apply to the creditor.

This system has and still works well. Most everyone reading this has made good use of our current credit system. We all understand how it works but are impatient with the slowness of the system. But it is a mistake to confuse slowness with malintent.


If the goal is to get it off the credit report then #2 needs to be addressed to the CRA, not the furnisher/creditor. Please see the safe harbor (for the CRA) language in the FCRA.


Debt will automatically fall off son's report after 7 years. They can ignore it without consequences. (assuming kid isn't getting a mortgage at 17 years old, haha)


We can legislate his company out of businesses and replace them with someone accountable to citizens.


> There are however official procedures for disputing/correcting errors in reporting and in my experience they do a pretty good job of validating everything (as that’s literally the business they’re in)

Anecdotally, I can't agree with this.

I'm six months in to trying to convince Equifax that I exist. Apparently they accidentally registered me as dead in their system, which has caused background checks on me, like when I registered my ABN, to fail. Turns out there are a number of government systems that have been outsourced to them.

They have twice manually intervened, and twice their automated processes have "corrected" their information and relisted me as deceased. And getting a manual intervention is a lot of complaints, and a lot of escalations.


> There are however official procedures for disputing/correcting errors in reporting and in my experience they do a pretty good job of validating everything (as that’s literally the business they’re in)

I'd disagree with that. The three agencies have a couple of names I've never gone by (I go by my middle name, so I expect "Middle Last" and "First Last" but I never went by "First Mother's-Maiden-Name"), and a couple addresses I've never lived at on my records for 20 years. They refuse to remove them.


this was meant as a reply to yardie's comment, but my HN client won't let me edit or delete it.


Ouch, Poggioreale is not a nice place to be in.


Why?


Beside living side by side with people from the camorra ("camorristi"). This is a letter to an italian newspaper about living in Poggioreale (in italian) https://www.corriere.it/cronache/13_luglio_28/detenuto-poggi...


Here is a link to the original interview, since neither Krebs nor the people that made the translation seem to believe in citing their sources:

https://krober.biz/?p=3200#more-3200


https://krebsonsecurity.com/wp-content/uploads/2019/09/Inter...

Here's the translated PDF. Either the original Russian was hacked up already, or this translation is very iffy.


The original is full of barely comprehensible jargon, obscure code-speak, intentional spelling mistakes, etc.


So this guy picked OP completely at random? I wonder why he was initially targeted


The most important and missing information at the start of the article is _why_ the OP had their information posted on the forum, why they were getting sent this package.


OP is a very well known security researcher. Here is his self-bio:

https://krebsonsecurity.com/about/




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: