Whoever wrote this is a complete idiot and doesn't know the first thing about computer forensics.
Check out this gem:
"I use spammers and pedophiles as test subjects when I’m working on something. This is mostly because it’s unlikely that they would go to the authorities and point the finger at me, knowing that I could easily turn around and say something to the effect of, “Well, yes I did pwn his box.. but you should have seen all the child porn I found on it.” owned x 2."
Well, owned x 3 because the first thing that this would do is backfire, after all if you admitted to hacking someone's box they could make a fair claim to you having put that data there.
The last thing you do when you go after a pedophile is to hack their computer, any evidence found there is tainted, and you are now a suspect with a confession on record.
There are several other laws this guy broke in his vigilante action against this spammer, he's set himself up quite nicely for a lawsuit, after all he's handed the prosecution all the documentation they could possibly wish for.
It is moronic that he thinks that informing cops about child porn on a computer he hacked would get him out of trouble, or get the pedophile in trouble - but the odds that a pedophile is going to call the police and complain about being hacked seem to be to be about where he puts them. He's not talking about "going after" the pedophile, he's talking about hacking the pedophile to have somebody to hack.
Out of curiosity, what possible laws did he break by going through a few public databases, facebook, whois data and google, and what does it have to do with computer forensics? I did this same type of thing to go after a 4chan-type troll who was attacking my blog a few years ago. and it was a joy to really effectively stop somebody who thought they were anonymous on the internet.
He should have left the guys wife out of it for one, he also should not admit in public to hacking computers. Regardless of who owns them that's breaking the law.
He definitely shouldn't have mentioned the guy's wife and kids, but it's certainly not against the law. It's definitely not bright to admit in public to hacking computers in the same way it's not bright to admit in public to doing drugs, but it isn't actually against any law but the law of prudence and good sense.
I think I missed something. How did he hack the other guy's computer? He based his analysis on email headers received in his own computer, and used Google, whois, fb, etc. after that. Right?
This guy is clearly a complete moron, but the thing that annoyed me the most was not the fact that he seems to think he's a genius for being able to use Google, it's his total misuse of the phrase "work cut out for".
Also, consider what you’re sending in this email. What if this guy had sent me an email trying to extort me, threaten me, whatever? I could turn this over to the authorities and they’d have their work cut out for them.
This is Dumb catching Dumber. Only the bottom of the barrel spammers in the year 2010 would use their real non-proxied IP address and a non-private WHOIS record. I would also point out that GeoIP does not point out the address of the person using an IP address, just their ISP (or whoever owns the ARIN block).
Just put the IP address in the box and hit “search”. Here’s what we find.
Region: Washington
City: Spokane
Postal code: 99205
So, we’re narrowing it down.. we now know that it’s Spokane, Washington.
Erm, no you don't know that he lives there, it just means that the IP address he happens to hit the internet with belongs at that address. If I geoIP myself it comes up about 300+ miles from where i live , I geoIPd some of the public wifi connections I used and it's not even the same country that I am in.
I blame google analytics for this, I often hear people say stuff like "hmm , all our visitors seem to come from London, let's optimise our site for people in London".
It's also possible that the spam email came from a computer infected with malware, making the target of this "attack" an innocent bystander.
Whether this was the case, in this instance, is insignificant, it's just one of those things that the author didn't think of, it shows the author did not think very deeply about the situation, and simply wanted to flex his technical jock.
The realities of life are that at some point you're going to have to give out your personal information. From a fragment of that it's pretty easy to reconstruct the rest.
The only thing the internet really changes is using a browser vs. going down to the courthouse.
Finding a name, address and phone number are not really a big deal. Life is far better knowing lots of people than it is knowing a few people. My time is worth far more than anything I could hope to gain from tracking down someone who sends me email I don't want. I'd much rather just click the Spam button and get on interacting with the wonderful people in my life.
"OMG, someone on the internet found my name, address, and phone number. I don't know how I could go on living my life dealing with phone calls and mail, my life has been completely destroyed!"
If this person could put my name, phone number and address infront of every person on the planet I'd gladly pay for that service, it would be extremely valuable having 7 billion people know how to reach me.
Whois info can and does easily get falsified. So the basis of his entire research which was built on checking whois is incorrect. In other words there is nothing preventing anyone from registering a domain name using someone elses contact info. Which is actually done quite frequently by web designers as only one example on behalf of their customers for legitimate reasons.
Separately, this is also incorrect:
"and it’s the administrative contact, which means he owns the domain"
The "registrant" actually owns the domain. Not the admin contact. Of course the admin contact can own the domain. And all the info can be false anyway as mentioned.
For example in the case of the domain "ycombinator.com" the admin contact is "Kirsty Nathoo" who, according to linkedin, is the "VP Finance and Operations at Y Combinator". The registrant is Ycombinator LLC and of course that makes sense that they are the owner.
Geo locating ip addresses also produces far from gold standard results.
UPDATE (1/12/2011):
I received an email from Steve regarding this post. He sincerely apologized for his actions and realized now that what he did was wrong and simply asked that I modify the post to protect the identities of his family. I felt that this was a fair request, considering that his family had nothing to do with what Steve did and it doesn’t jeopardize the impact of the article. So, if you’re wondering why you’re seeing all the “[withheld]“‘s, that’s why!
PS – Yes, I realize the names are still shown in the images, but they’re not indexed by Google
I do this sort of stuff on a near-daily basis. All the tools he refers to are quite common.
The only things I'd add is that if you're a state of Washington resident, your personal details are particularly open to the Internet. They seem to have every little government database open for use. I always breathe a sigh of relief when whoever I have to track down lives or has lived in WA.
In numerous other cases, I've had to track down people merely with a street address, and getting a full dossier on those people is equally easy.
If I were to use illegal techniques, it would be orders of magnitude scarier.
I track down criminals or long lost loved ones normally, but how do you combat being found? Dis-information. I could go on about this, if people were interested.
Summary: keep your personal life off the Internet.
I'm not worried about my address, phone, name or email. You can get those from the doormen, co-workers, friends, google and hundreds of documents scattered around the world (bills, contracts, registers, etc).
The best you can and should do is protect your personal life. I recently switched my FB account to "friends only" - that should be the default for everybody.
You realize of course that your friends include any attorney with a subpoena, the worlds' intelligence agencies (who's to say there isn't Intelligence life in space), and all the criminal hackers on the planet.
I do. I don't carry any secrets though (and for sure wouldn't share them on Facebook), and am more afraid of being ran over by a bus. Otherwise I would just get off the internet.
It seems inevitable that all public information about people will become organized, and you just won't be able to keep secrets like this any more. Better than it be available to everyone than only to sneaky governmental agencies.
Check out this gem:
"I use spammers and pedophiles as test subjects when I’m working on something. This is mostly because it’s unlikely that they would go to the authorities and point the finger at me, knowing that I could easily turn around and say something to the effect of, “Well, yes I did pwn his box.. but you should have seen all the child porn I found on it.” owned x 2."
Well, owned x 3 because the first thing that this would do is backfire, after all if you admitted to hacking someone's box they could make a fair claim to you having put that data there.
The last thing you do when you go after a pedophile is to hack their computer, any evidence found there is tainted, and you are now a suspect with a confession on record.
There are several other laws this guy broke in his vigilante action against this spammer, he's set himself up quite nicely for a lawsuit, after all he's handed the prosecution all the documentation they could possibly wish for.