Using Google Maps To Intercept FBI and Secret Service Calls 137
An anonymous reader sends in a story about a network engineer named Bryan Seely, who was tired of seeing fake listings and spam on Google Maps. He contacted the company and tried to convince them to fix their system, but didn't have much luck. Afterward, he thought of an effective demonstration. He put up fake listings for the FBI and the Secret Service with phone numbers that sent the calls to him. When people called, he forwarded them to the actual agencies while he listened in. After recording a couple of calls for proof, he went to a local Secret Service office to explain the problem:
"After that, Seely says, he got patted down, read his Miranda rights, and put in an interrogation room. Email correspondence with the Secret Service indicates that the special agent in charge called him a 'hero' for bringing this major security flaw to light. They let him go after a few hours. Seely says the fake federal listings, which were both ranked second every time I checked Google Maps, were up for four days. He took them down himself when the Secret Service asked."
Old news. (Score:4, Interesting)
When I was working in retail about 5 years ago competitors of ours did the same. Our store name, their phone number.
Directly contacting gov agencies. Good idea? (Score:5, Interesting)
But there will be access logs and ip addresses saved in all kinds of places that will have evidence that I had stumbled on to that security hole. If I try to cover my tracks that would be even more trouble for me.
I don't know what the right thing to do would be. May be I should spring for a lawyer, document everything with my lawyer and use the lawyer to contact the agencies.
Is there a recommended way by FBI or Secret Service where one can go, establish the non-criminal bona-fide of oneself and have an intelligent conversation with someone and point out such security flaws? It is in the interest of FBI to maintain such a unit.
Re:Directly contacting gov agencies. Good idea? (Score:-1, Interesting)
The Cuckoo's Egg: Tracking a Spy Through the Maze of Computer Espionage [amazon.com]
I see it as less about Google being bad... (Score:4, Interesting)
And IMO, knowingly deceiving people (ie, deliberately misrepresenting your own number as a conduit for contacting somebody else) to try to expose a security flaw is still deception... and IMO, a severe ethical infraction, even if the law allows it when no real harm has been done.
Good ends should not require bad means to achieve. I believe that the means must justify themselves... and if that is just not possible, then... well, you just do the best that you can with whatever it is that you have, and go forward from wherever it is that you are.
Re:Directly contacting gov agencies. Good idea? (Score:5, Interesting)
I've done it, exposing criminal fraud of spammers. I happened to be visiting DC, so took the time to meet the agent whom I'd been corresponding with and trying to get Secret Service interest because I thought it would fall under wire fraud. Local police departments had been unwilling to deal with it without proving that the spammers were from their jurisdiction, and wouldn't bother obtaining the warrants needed to get ISP logs without that proof. And the FBI kept blowing me off.
The Secret Service agent I spoke with was interested, but let me know why he couldn't justify further investigation. Without a clear abused victim with a clear monetary damage of at least $30,000, he couldn't justify obtaining the necessary necessary agency time to get the warrants to track the spammers and the fraud. So I learned a hard lesson: getting the specific criminal act of large enough damage to *justify* prosecutorial interest is key. It's why so many low scale spammers and fraudsters continue so long: they operate under the radar of police or FBI or Secret Service wire fraud thresholds.
It's a lesson that's been helpful to me in security work: It really helps to have a killer risk or a single incident to hang justification for the change in practices or policies on, as a managerial justification for time and money and resources.
That's similar to why dial phones were invented. (Score:5, Interesting)
When I was working in retail about 5 years ago competitors of ours did the same. Our store name, their phone number.
That reminds me of why dial phones were invented.
Early telephone exchanges used an operator to connect all calls. You picked up the phone and this lit a lamp and sounded a buzzer at an operator's console in the central office. The operator pulgged a cable into a jac and talked to you, found out who you wanted to talk to, and plugged another cable into the other customer's jack (or a trunk to another operator) to hook you up. Similarly when you hung up, or (if the call needed some other modification and you "flashed" by flicking the hook switch).
Some businesses bribed unscrupulous operators to redirect their competitor's calls to them, stealiing some of their buiness (especially in high customer turnover businesses, where a large fraction of the calls were initial contacts.) There was much flap over this, of course.
One such customer - an undertaker - decided to attack this problem at its root. He also happened to be what we'd now call a hacker (in the "exceptionally competent technologist" sense). He developed the earliest version of a dial telephone system, and got one of the telephone companies serving his area to install it. Electromechanical stepper switches were not susceptable to bribery, problem solved.
Of course electromechanical stepper switches are also cheaper than even low-wage people. So dial systems caught on very quickly. You still needed operators for non-simple stuff, but a company handling the bulk of the calls mechanically needed far less of them, and when such service was available businesses switched over en masse.