lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
From: goncalo.costa at kpnqwest.pt (Goncalo Costa)
Subject: Java Anonymous Proxy (JAP) backdoored - another interesting story

For those of you shocked at learning that JAP had been backdoored at
the request/order of a judge/court to investigate a criminal, here is
another interesting story.

Notice the SURFOLA.com disclaimer.

----------  Forwarded Message  ----------

>Date: Sat, 23 Aug 2003 00:00:11 +0200
From: Barry Wels <b.wels@...6.com>
>Subject: blackmail / real world stego use
>Sender: owner-cryptography@...zdowd.com
>To: cryptography@...zdowd.com
>
>
>Hi,
>
>So far I have only found one English item in the news about this.
>
>http://www.expatica.com/index.asp?pad=2,18,&item_id=33655
>
>So let me translate some of the dutch information about this
>interesting case :
>
>A 45-year old chip designer from Utrecht was arrested June 3.
>He confessed to have tried to blackmail the 'Campina' food company.
>He had threatened to poison their products, and demanded 200.000 euro.
>
>The most remarkable thing about this case is however how he
>communicated with Campina, and how he thought to receive the money.
>
>He forced Campina to open a bank account, and get a 'world card' with
>it. Then they had to deposit 200.000 Euro on it (about 185.000
>US dollar). He ordered them to buy a credit card reader, and read the
>information off the magnetic-stripe of the 'world card'.
>Then they had to send him the output of the card reader, together with
>the pin code. With this information, he then could create a copy of
>the 'world card' using a card-writer and a blank card.
>
>To send him the information, he made them use steganography!
>Campina received an envelope via snailmail containing a floppy with a
>stego program and instructions.
>
>They had to encode the 'world card' info into a picture of a red VW
>golf, using the stego program, and a fixed crypto key that was
>included in the envelope.
>
>Finally, they had to place the picture in a fake add on a website
>where large amounts of people sell/buy second hand cars.
>
>He would then read the add, and make a copy of the picture.
>Decode the stego info out of it, write his own copy of the card,
>and withdraw money. Without ever having personal contact with Campina
>(or the police). To be real clever, he did not approach the website
>with the car adds directly. Police found out the add was approached
>trough a US anonymizer called SURFOLA.com. SURFOLA.com claims on their 
>website :
>
>"We will not give out your name, residence address, or e-mail address
>to any third parties without your permission, for any reason, at any
>time, ever."
>
>The Utrecht police informed the FBI, and asked for assistance. Within
>24 hours, the FBI cracked the case, supplying the Dutch police with
>a '@....nl' e-mail address and some paypal.com financial data.
>
>This data led to the 45 year old chip programmer.
>After his identity was known, the police ofcourse started surveillance on
>him. The 'desert terrorist' was arrested red-handed when he withdrew money
>from an ATM using the world-card copy....
>---
>
>Greetings,
>
>Barry Wels.
>

-------------------------------------------------------

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ