After 9/11, a clever MIT undergrad grabbed some form of alqaeda.net. Any email sent to the address went to the corresponding @mit.edu email address. You could email professor_alice@alqaeda.net, and it'd arrive at professor_alice@mit.edu.
Undergrads sent emails like that for the lols. Recipients got freaked out they'd end up on some government watch list.
This is true of crypto wallets and NFTs as well. More than one project has attempted to send NFTs or assets to high profile wallets (ex: trillions of dog-coins sent to Vitalik's wallet that he ultimately donated to get rid of but not before drawing the intended media attention[1]) and the whole concept of airdrops is based around the idea of permissionless receiving.
Unfortunately, re: swatting via an non-tech-savy LEA and domain registrars: you could likely just update the contact details on a domain you own to the intended target and that'd probably be enough.
Yes. Someone owns the location that's the "center of the United States" for broken IP address lookups. MaxMind gave 38 north, 97 west as the default location for 600 million IP addresses. It's a farm in Kansas.[1] MaxMind did that for 14 years. The farm was regularly visited by law enforcement, looking for various people.
I believe MaxMind finally updated the default US location into the middle of nearby lake to help stop this issue. How long it takes everyone to update their GeoIP DBs.... who can say?
edit:
>Following Hill’s extraordinary piece in Fusion, MaxMind shifted its default “United States” location to the center of a lake, west of Wichita.
Wow this was a great (and terrifying) article. I feel like companies like MaxMind shouldn't be allowed to just advertise a pin on a map and point queries for IP addresses to it. Why even have a "default" latitude and longitude? Just return null. Just terrible, irresponsible, dangerous behavior.
The NFT can also be a program that when you try to move the token or interact with it in any way, it can do things such as transferring funds to another wallet.
There is no way this would work without approving the NFT contract to spend your tokens.
Realistically, lots of people would do this because the complexity of blockchain tech is beyond most peoples' grasp, but there is a reasonable failsafe at least.
> The source of the problem was not just the NFT and the airdrop. However, by releasing an NFT to a victim, they will see it. Then, there comes a follow-up message that demands a signature for connecting to a wallet.
> Furthermore, a prompting request for a secondary signature will come up. If the user accepts it, the hackers will access the unsuspecting user’s wallet and funds.
This is light on details, but as I said, the only way another address can spend a users tokens is if the victim address approves it (or if the token is not ERC20 conforming). This approval might be what the article refers to here as signatures.
Alternately, this attack could somehow get a user to reveal their private key, in which case, of course an attacker has access to their funds.
Text messages and email are different because they're private: if someone sends you an abusive text only you can see it.
The problem with NFT wallets is that you can send someone something which will then be publicly visible and associated with them, without their consent.
No, text messages and email are different because they contain implicit sender/origination information, which even if fake, shows that the material in the messages comes from someone else.
Domain ownership does not have this property. "WhoUsedToBe" is not a well-known database.
'Uncle Milton Industries has been selling ant farms to children since 1956. Some years ago, I remember opening one up with a friend. There were no actual ants included in the box. Instead, there was a card that you filled in with your address, and the company would mail you some ants. My friend expressed surprise that you could get ants sent to you in the mail.
I replied: “What’s really interesting is that these people will send a tube of live ants to anyone you tell them to.”'
Since you're being modest, I'll follow with the relevant article of yours that I was going to take that quote from: https://www.gwern.net/Unseeing
(A collection of musings on the difference in mindset between "Moving the domain to a friend is okay" and "Wait, you can move the domain to anyone? How do you not see the issue with that?")
If they don't recognize that the return address is in a different area than where it was dropped off, and that the destination address is in the area it was dropped off, then oh well USPS.
This feels plausible but if someone wanted to SWAT someone ... there's probably other / likely easier ways to do it.
Having to registrar a domain, come up with some content, or just point the domain at some content ... then transfer it ... and then make a big deal out of it (getting attention is hard) and hoping nobody notices the easy to prove explanation that "someone transferred this to me" ... and avoiding getting caught seems like a big ordeal.
The story here is "hey random guy also hosts horrible stuff at his domain that he registered in his own name ... well he did". Maybe some folks run with that, but I'm not so so sure.
The mechanism here seems "easy" on the surface, but actually rather complicated, and odds of success seems low.
1. Somehow you get the IP address of the target maybe by playing a game with them (which can be p2p) or some other way of getting the IP address and then geolocating (this can partially be avoided by using a VPN
2. If someone is live-streaming outside in the real world you recognize where the person is.
I haven't heard of someone being SWATed by a nefarious actor inside a company and never really a domain probably because you either purchased some protection plan to avoid spam so that if someone looks you up on the domain they won't find any information and also most people don't self host things using their own domain.
With that said that doesn't mean it is impossible to occur.
For example Krebs on security has had SWATing attempts due to the content he posts. If you aren't live-streaming video games or doing IRL posts and or not reporting on bad actors you should consider other things to worry about.
A third requirement is living in a country with an overaggressive police force with more guns than some they know what to do with ready to shoot your dog or anything else that moves.
Not that it doesn't make sense to consider this situation when designing systems such as domain transfers, but this is the "Real Problem"™ IMO.
IP geolocation is not anywhere near precise enough to get you an address. It can give you a best-guess as to what city you are in (and even that is a guess), but not much better. If you aim to swat someone and you only know the IP you would contact the police who would contact the ISP to get your address connected to the internet subscription.
In this case what do you mean by "open source intelligence"? Like what would your actual steps be to go from my IP to actually knowing my name/address? A whois lookup would get you the ISP, a maxmind lookup would get you a guess at a city, but besides that what can you do?
I tend to agree. There are certainly potential bad outcomes but a lot of it boils down to SWATing and there are almost certainly easier and less traceable ways to SWAT someone. And getting attention on Twitter or whatnot presumably means getting the attention of people who can quickly determine that something is amiss.
ADDED: While this process should probably be fixed in this case, at the end of the day, there's probably no foolproof way to keep people from sending you illegal stuff in either the physical or digital world in general.
Tangentially related, but we stepped on a rake by forwarding spam and malware emails to abuse@outlook.com.
These morons got our poor mail server blacklisted in some super-exotic way that required several days of escalations to sort out. Moreover, they did it more than once, several months apart, each time causing a week of non-deliverability problems, and it took us a damn long while to add 1 and 1 to see why it was happening. Stopped reporting the abuse to them after that and all is good now.
> 1.2 "Designated Agent" means an individual or entity that the Prior Registrant or New Registrant explicitly authorizes to approve a Change of Registrant on its behalf.
Unless there is some other mechanism for preventing the Registrar from also being Designated Agent, it might be that R has terms in its EULA where registrants agree that R is also Designated Agent.
Unless things have changed, this isn't an issue with any particular registrar, you can put anyone's contact info in for the WHOIS information. In fact, just not having your name in the WHOIS won't help with the SWAT problem. Someone could just as easily create any website and just say they are you. I haven't talked to a SWAT team member in quite a while, but I still doubt they're very adept at looking up HWOIS information. I think it'd suffice to say that if anyone creates a website that says "I am ..., this is my plan to commit some serious crime". You're probably getting a visit, rather than an assumption that it's a spoof just because the WHOIS info doesn't match.
Being able to send people things without their approval is a problem on all sorts of things across the internet.
Spam email is the most common, but the same problem exists for people sharing things in Google Drive.
I had a password manager application that allowed you to share password entries to anyone else who has an account with that password manager company. The app/site actually did require you to approve the incoming entries, but didn't let you know what was in them, how many there were, etc.
I was wondering about this with regards to bitcoin and other crypto currencies (which also have no way to choose whether or not to receive something sent to you). Surely someone could do some crime with coins in a certain wallet, and then transfer them to you; your wallet now contains illegal money and you don't really have a way to prove that you weren't involved.
Because if you look at GoDaddy (probably R) domains that are "privacy protected" you see the registrant is actually "Domains By Proxy, LLC" and switching that domain to another GoDaddy account would be invisible on the whois system.
That's to the public whois system, sure. But LEAs could still obtain court orders to get the actual contact information for the domain owner; registrars are legally mandated to maintain that information, and customers are expected to keep that up to date.
Yeah, it's just that they probably aren't doing anything against the rules since the "technical" registrant never changed.
It's still a silly setup - but then again, we have the same thing in banking - I could send you funds if I know your routing and ACH number (which is available on any of your checks, etc). So if I were a big crime lord I could randomly send money directly to people I didn't like so they'd go down with me.
But you can elect not to have your domain privacy protected. And if a bad actor is trying to grief another person they could list out their entire address, email, phone etc in the public WHOIS then transfer it over to them to create the "ultimate smoking gun".
> You could instead just tell R, but I can’t really imagine a scenario where even a great tech support person would both understand the problem and be able to get it to the right people on their legal team in an reliable fashion.”
That depends…. with the right R I could see it. The tech person I interact with (rarely) at nearlyfreespeech.net deeply gets it — tech, business, legal. I doubt he’s a lawyer of course, but expect he knows when to get them involved. Probably the owner of the whole operation, if I had to guess.
And yes I realize they are probably just front ending for the real registrar, but to me they are effectively the registrar; not here to argue about that.
This is true of real estate titles in many jurisdictions, too. You can quit claim a property to anyone without their consent, and then from that point on they are on the hook for property taxes, compliance with title covenants, etc.
I've been calling this kind of thing a "reputation attack". They come in all sorts of shapes.
Here's a common one: a platform allows you to create teams and invite other users to be members of those teams. The teams that a user is a member of are shown on their profile.
Someone could create a team called "Paid up members of the Nazi party" and add people as members!
That's why it's crucial to have a "accept invitation" step if you build anything like this.
Getting a lot of press these days is the similar thing where you can transfer an NFT to someone's wallet without their permission.
Just did this at another well known registrar, two clicks and my friend transferred 8 domains to me without much in the way of checks. Crazy to think of but here we are.
This feels a lot like complaining anyone can send you mail. I can send anyone anything provided I know their name and address. Even illicit materials. Or illegal materials. I don't even have to provide my real name. Or address. I can make it look like anyone is a criminal. Muahahahaha.
Did they reset the DNS information? Because that's all that's really needed to prevent the sort of weird malicious behavior he's describing.
It really doesn't take much for a motivated person to destroy another person's life. People get away with that all the time. Why is it hard to believe there is yet another way to do it?
Tangentially related, now that SWAT'ing is a known-problem, is it possible to contact local law enforcement and forewarn them "Hey, I think I'm at high risk of being SWATed" such that if they receive a call they do some extra diligence to verify? (Like, for example, call you before dispatching.)
Yes. I'm sure it works better in some locations and worse in others, but I know at least a few people who have proactively called law enforcement agencies about being a high probability target of SWATing and related activities.
I mean, this is why we have due process and a trial, right? At which you can present evidence that you didn't purchase the domain. Probably it wouldn't even get that far.
Unless the LEA or the judge are savvy enough, a warrant might be issued allowing police to raid your house and seize all your computer equipment.
If that happens, you'll get arrested in front of at least some of your neighbors, who might also find out why you were arrested. (Even some of the local cops might think you're just getting away on a technicality.) Eventually being found innocent or not charged may not matter to some of them.
You will be in jail, at least for a while. You now have an arrest record. When people ask, "Have you ever been arrested," the answer will be "Yes." You might lose your job.
Your computer equipment will be seized and police will go through it. It'll be used against you in and out of court—even things that are legal—if they think it makes you look bad or will get you to talk. Getting that equipment back after charges are dropped or you are found innocent in court may or may not be slow and byzantine.
You will need to pay a lawyer, both to defend yourself, and to help you get your equipment back.
Yes, this is all fixable... if you are not poor and not rather unlucky. But it will take time and money. Even if you don't lose your job, I'd estimate that it would cost you $20K on the low end for legal fees.
Also, if you've done anything else even slightly illegal, and the LEA finds evidence of that when searching your stuff, even though you've been careful and haven't had cause to attract their attention previously... well... that's another whole bunch of trouble.
The justice system in the US is so infuriatingly bad, I don’t even know where to start when it comes to fixing it.
The class issues are enormous; if you’re wealthy enough to be able to defend yourself, you’ll still only be treated with something only loosely approximating fairness at absolutely best.
However, if you can’t afford tens of thousands for an attorney, experts, etc, you’re pretty much fucked.
We need to seriously rethink how we treat the accused in this country, from automatic sanctions that are applied to any accused, to how much leeway the police and justice system have to destroy people’s lives before there’s even been any evidence presented of an actual crime.
To add to this, it is insane that someone can be locked in jail for years without being convicted for a crime. In some cases innocent people have spent over a decade in prison before being exonerated!
> When people ask, "Have you ever been arrested," the answer will be "Yes."
And that's hoping you are a citizen. Because visa renewals (and permanent residency applications, etc) also ask the exact same question. Depending on the reason for the arrest, you can also be denied naturalization or be placed in deportation proceedings without an actual conviction being required. On the basis of your "moral character".
Only about a dozen states ban employer questions about arrest records outright. More states have no restrictions on it at all. Another set of states bans asking about expunged or sealed records, but anything else is fair game.
Among the ones who have partial bans they range from "No, unless you run a bank and the arrest was for alleged fraud or bank robbery" to "Basically yes, unless it's a really old arrest and the salary is below a threshold."
Arrest records are generally public, in my experience. Perhaps it wasn't important to ask me since it would come up in a background check. But then so are conviction records. It's just not what I remember when applying to jobs, is all.
In my previous state it wasn't banned and I saw it on every application I ever filled out, but that was quite some years ago and my current state doesn't allow it. I've heard stories of people being fired for other reasons, but officially because the company did a background check later and the person had lied on their application.
There's often an implication that an arrest wasn't necessarily mistaken, even if no charges were filed, the charges were dropped, or the person was acquitted.
I can see it making a sort of sense in some edges cases. Would you hire a bartender who had been arrested six times on suspicion of DUI just because he was never convicted? I think that would be hard to justify, if my insurance company would even allow it. (So, in my opinion, it's better if I never found out!) However, in general I find the idea distasteful, uncharitable, and un-American.
That said, I suspect most employers just like to have as many legal reasons to reject an applicant as possible to make it harder to be sued (irrespective of whether those employers are racists). In Michigan they were more or less explicit that they put their ban in place because black people are being arrested and charged at rates disproportional to eventual convictions versus other groups.
DUI example is strange. There are blood alcohol tests, can't really avoid conviction if you fail the test. What's the explanation supposed to be for all the acquittals?
The way you say it, it's like you think that more and more acquittals is evidence of guilt, but that doesn't make any sense to me.
Repeated arrests would be no accident of chance, but those repeated acquittals would even call into question a conviction in the future. Something is going on to generate false accusations.
> There are blood alcohol tests, can't really avoid conviction if you fail the test.
You can't be forced to take (or, even, given additional punishment based on an advance-consent licensing provision, as California has and used to enforce) a blood alcohol test without a warrant under Supreme Court case law, and warrants take time.
Unless the starts align the wrong way, generally the way its gonna go is first they will pull your background, and see that there is no criminal record, good credit and a tech job. So the first thing that is going to happen is that you will get a couple of FBI agents probably show up to your door and ask you questions. At which point you could sit down in front of your computer with them, pull up your accounts, and see the evidence of the transfer, all without answering questions with a chance to self incriminate.
You're completely wrong and should lawyer up if they ever come to your door.
That is not at all how the FBI operates. If they suspect you of operating a child porn ring they aren't going to just show up and ask questions, because if you are operating a child porn ring you will have nuked the evidence before they return with a warrant. They show up with a warrant. They will not allow you to touch the computer, because they won't want you to have a chance to nuke the evidence.
In any case, you don't need a clean record, good credit, or a tech job—which would actually be a liability here—to have an account with a domain registrar.
If they suspect you of operating a child porn ring, they know that you will most likely take precaution and nuke everything if you even catch wind that you are under investigation, which is why they will subpoena your bank records, phone records, ISP records, and probably put surveillance on you.
If the only thing that shows up from all the data is literally a public DNS that points to a public ip address with questionable content, while you are leading a relatively normal life with all your other income accounted for, the agency (given that they have enough tech experience in cybercrime here) will most likely assume that you are a victim, and will go talk to you. Now of course, nothing is for certain, but statistically speaking, FBI doesn't go busting doors without prior investigation.
The advice of "not answering questions" applies mostly for situations where cops are looking for the guilty party, and you don't want to accidentally self incriminate (or if you are guilty, you have a higher chance of getting off)
FBI having records of you specifically in relation to a shady website is already past the point of looking for a guilty party - the people they send are specialized in cyber crime, are there to investigate the entirety of the situation with enough information about you already collected from all the sources like ISP logs, background check, and so on, all indicating that you are probably not guilty, as people who actually run sites like that statistically lead very different lives
You can refuse to answer questions and let them in, however that has a higher rate of a search warrant, seizure and possibly arrest. Or you could just show them your domain registrars, tell them that you have no idea where it came from, and then look up history that shows the transfer, and that could be the end of your trouble, without any self incriminating statements.
I generally like to think I'm a rather calm individual. It takes quite a bit to get me flustered.
But let me tell you, I have had a couple of FBI agents show up at my door. And when I saw those badges, even though I know I've not done anything, I was nervous. Had a legit adrenaline dump. All because my address was the last known address of someone they wanted to speak with. This someone was male, brown hair, about the same height and build as me, etc. As soon as they noticed the similarities, it was not a "sit down in front of your computer and straighten this out" kind of situation. They are there for a reason - to find a criminal. They aren't there to shoot the shit with you and explain "it's all just a big misunderstanding".
If the FBI shows up at your door without a warrant, don't let them in and don't speak to them. If they insist, insist on having a lawyer present.
Luckily my situation ended up OK. I got a lawyer who specifically had experience with federal law enforcement and had them do all the "straightening up of the situation". But it cost me money and took weeks of what should have been "here is my driver's license, passport, and deed. I am me, not the other guy".
I mean, that may well be true. But is so that's a problem with law enforcement and the justice system in general, not with the domain registrar.
I believe for example, that it is extremely rare to have your door knocked down here in the UK. The police will generally politely knock and or ring the doorbell, and only knock your door down if you refuse to let them in.
> The police will generally politely knock and or ring the doorbell, and only knock your door down if you refuse to let them in.
I highly doubt that this is going to be the case if the warrant says that you’re wanted for child abuse imagery or human trafficking. I’m sure they’re lovely for small infractions, though.
That’s a surprising pair of crimes to equate, as to me they warrant very different police responses. Police violence ought to be a last-resort tool to e.g. prevent further crime or injury to innocents. Not as a punishment that scales with the abhorrence (or moral panic) of the crime.
There’s no need to send the swat team for a non-violent non-organised criminal, monster though they may be.
> I highly doubt
At least on paper UK police aim to take a more evidence-based light-touch community-building approach to policing, so I'd be curious what reasons you have to doubt this claim?
The assumption that US morality and culture applies globally is tiring and misses out on an opportunity for learning through comparison.
Well sure, if you are sufficiently privileged to warrant getting a polite knock on the door rather than an amped up heavily armed borderline hit squad kicking your door in.
It's also worth noting that the author specifically called out in the article that the concern here is SWATing which has become such a notorious problem in some circles that the concept has made it into mainstream TV shows covering the practice.
Due process only counts when it's uniformly available, and there is ample evidence in the United States, and other countries that have similar policy, that the effectiveness of civil rights protections varies widely by economic status and ethnicity.
The point of swatting isn't to get someone convicted, it's to get the police to harass someone.
Have you ever seen a no-knock raid? It happened to a house 5 houses down from where I live. They broke down the door and threw a couple of flash-bangs inside. Even from 5 houses away with all doors and windows closed, I could have sworn someone just fired off a cannon. Pretty sure they won't be fixing or paying for any damages either.
> Pretty sure they won't be fixing or paying for any damages either.
There was a somewhat-well-publicized incident a couple years(?) back when IIRC a shoplifting suspect (who was armed, I think) was chased by the cops, hid in a stranger's house, the police wrecked the house getting the guy out, and then didn't pay a dime to fix it, let alone anything to compensate for the significant inconvenience of having a messed-up house and having to have a lot of work done to repair it. Can't recall whether there were any successful lawsuits after, but the default was definitely, "nope, that's entirely your problem, we just break stuff, we don't fix it".
And that's for someone who wasn't even any kind of target for the police, but an innocent bystander.
No reason to worry. After this page topped HN all the SWAT teams will be overwhelmed and when they get to your house in 10 years you probably will already have moved.
> These days, one would hope LEA officers would at least look at who owns the domain name, but you just said that the registrar transferred it to you and changed the WHOIS data to use your full name and address.
I started to write a comment about how horribly optimistic this is but then I thought about it some more.
If it is indeed "Local" police you are probably screwed. They have zero understanding of the internet/tech and even people in positions with titles like "Cyber security" at your local station are probably just cops that got promoted into that role and have very little to zero understanding. Every interaction with my local cops w.r.t. technology has been painful and fruitless.
Of course this assumes they would follow up on it in the first place. My LEA outright refused to lift a finger with a harassment case even when provided step by step instructions (and we knew who was behind it) on how to request information from the company the harasser was using (throwaway phone numbers). That said, maybe an instance like the author describes would get them off their butts.
If it goes up to a federal level then maybe they would understand the nuance of domain transfers but not before kicking in you door.
It shouldn't be hard to make the actual bits themselves live on the blockchain. It's trivial to make values so that their hashes have certain bits set to 0 or 1 as you chose (as long as you only use a few bits per hash)...
People who swat doesn't care about the person being charged and tried, it's all about making the police kick your door down, kill your dog/pet, and potentially kill you (at least scare the shit out of you).
If you want to get ICANN to fix this vulnerability, you could fix it:
A. The Proper Way: Find the right person at ICANN, send letters, follow-up, and hope they understand and prioritize the issue so it's addressed in some number of years.
or
B. The Fast Way: Register a funny yet embarrassing domain name, transfer it to a senior ICANN official, tweet to some journalists idle speculation wondering why this person has such a domain name. The vulnerability will be addressed ASAP. :-)
When I saw "funny yet embarrassing" I pictured something like rewrite-the-internet-in-Qbasic.com, creating grounds for a lawsuit is completely optional.
If there isn't 1) intent for defamation, and 2) identifiable damages (monetary) then there's no viable lawsuit; and arguably any reputation "damage" is deserved if the organization they're in charge of allowed this to happen so easily.
There doesn't have to be those things to make your life hell, at least not in the US. There just has to be enough of an argument where a judge will be OK with bringing it to court - and even if he isn't OK with it, you'll still have tons of lawyer fees to deal with.
The domain name must be paid by someone. After the transfer, if the employee is not up to date with their inbox, they may end up paying for something they did not consent.
Is there really no legal basis to sue someone because of this? Is that clearly not malicious behavior from the one who transferred the domain?
You don't get SWATed for owning a child porn domain. SWAT teams only break down your door if you might have a weapon and be violent with it. If the police just think you're involved in a crime, they have to get a warrant for your arrest and then knock on your door and wait "a reasonable amount of time". They're also less trigger happy if they don't suspect you of having a weapon.
"The 2017 Wichita swatting occurred on December 28, 2017, in Wichita, Kansas, United States. The incident began as an online dispute between Casey Viner and Shane Gaskill, regarding the video game Call of Duty: WWII. During the dispute, Viner threatened to have Gaskill swatted, and Gaskill responded by giving him a false address for his residence, one that was occupied by an uninvolved person, Andrew Finch. Viner then asked Tyler Barriss to make the required fraudulent call to initiate the swatting. Wichita Police responded to the address, and as Finch was exiting his house, police officer Justin Rapp fatally shot him."
"Barriss, identifying himself as "Brian", claimed that he was at the residence at 1033 West McCormick Street, had fatally shot his father, and was holding family members at gunpoint. He asked if police were coming to the house, saying he had already poured gasoline all over the house and was threatening to set it on fire."
^ THAT is why the police shot. Not because someone had registered a domain name called "imakechildporn.com". They need a credible and imminent threat of violence. You can't just roll up on someone who might be hosting a "illegal website" and use that as a pretext to shoot first ask questions later.
I'd argue that someone phoning in such an over-the-top movie scenario threat from an anonymous phone number is also not a "credible and imminent threat of violence". Definitely something that warrants investigation of course, but not something to start pulling out all the guns and start shooting people when they open the front door to see what all the ruckus is about.
Undergrads sent emails like that for the lols. Recipients got freaked out they'd end up on some government watch list.