At the end of his fantastic Defcon talk, Andrew ‘Zoz’ Brooks takes some time to provide more details about the thief’s identity, and lists the lessons learned.
Well, Melvin Guzman is the kind of person who spells his own name wrong on his Facebook page (see snapshot). His main activity is taking photos of himself for online dating sites, and when he saves those pictures he just mashes on the keyboard. So, my stolen computer, my beloved Mac is being used by someone less competent than a typewriting chimp. But, you know, maybe if he’d stolen infinite number of computers, he might figure out if the complete works of Shakespeare could fit in a Mac OS filename.
But thanks to a self-portrait obsession, I hereby present the many sexy faces of Melvin Guzman (see photos below). I’m sure the ladies love some of those. And all the ladies out there: this man is available, contact me if you would like his phone number.
Now I’m sorry to anyone who wanted to see the full monty here (see image on the left), but after I originally submitted the slides the Defcon stuff told me that they might have trouble when they put the videos of this talk on their CDs that they have for sale afterwards, and they may have some trouble with the A/V company if I left it in. So I had to search for something to cover up the weiner here, if you like.
But let me just say that when I searched for Defcon logo images on Google Images I only had to search for icon size. If you’ve ever wondered what photographers mean when they say: “Make love to the camera” – that’s what they mean (see collage on the right). Having made love to the camera he doesn’t mind cuddling it afterwards.
But this seems to work, alright, because the sexy ladies of the Internet responded and it worked out for him, so here’s what he was receiving back (see pics below). So, at last he found the ‘phat’ booty he was looking for, I assume so.
I don’t know a lot about online dating techniques, but I noticed when I was looking at the keylogger that there were a lot of Ctrl+V’s. And I found out why that was from watching in VNC. This guy would write a message once and then copy and paste it to literally hundreds of women. I think this used to be called the ‘shotgun approach’, but I don’t think they make shotguns that can hit 200 targets at once. So maybe we should call it the ‘nuke from orbit approach’.
And finally, an interesting bit of info considering that this is a guy using a stolen computer: he’s taking an online course for criminal justice. I think he’s enrolled in my online course for criminal justice.
After I handed all the address information I was able to give them, the police were able to go and recover the computer, and I think they did it the day after I submitted these Defcon slides after the deadline.
It taught me some lessons that I thought I would share with you. First of all, obviously, my security of the machine in the data security sense, in terms of not encrypting the hard disk and letting it boot in single user mode – was shithouse. But if I had better security, then I would never have been able to recover the computer: if the guy couldn’t log into it, if he had to wipe the drives, if he couldn’t reconnect it to the network – same deal.
So I actually recovered the hardware and I did recover some of my data; some of it had been erased but I got a little bit of it back and I set up rSync scripts every time it was online to pull in more and more of the stuff. I often wonder if he was paying for bandwidth as well, because every time it would connect I’d be sloping gigabytes of stuff back down his dial-up.
The second lesson is a lot of these services are potential vulnerabilities against a trained threat. Like, everyone here is thinking: “Oh yeah, you’re running VNC, and if you’re not tunneling it over SSH, you’re totally making a mistake,” especially also having a daemon that tracks the IP addresses wherever this machine moves, especially if this was a mobile platform. You know, if I was running a DynDNS update on my laptop, people would know where I was all the time. So that would be bad against a trained threat, but very good against a low-tech threat. So it’s all about, sort of, threat modeling and remembering to buy that 20-dollar deadbolt.
Another thing: the Keychain1 versus key logs. I’m one of those guys that never really trusted the keychain, because it’s a single point of failure, it’s got everything in it. What if you could get into it? But it’s actually an interesting defense against the keyloggers, which is something you’re more likely to have on your machine from spyware and stuff.
There are more sophisticated keyloggers; there are ones that log mouse movements and clicks and things like that; but for a very basic keylogger, having forms and passwords just fill themselves in automatically when you’ve logged in once – you know, it’s potentially protective.
And then finally, having my serial number was great, like, being able to give that to the cops, file the police report meant that the hardware could be recovered; without that serial number there’s no way. So write that down somewhere.
And then, the final lesson learned, of course, I’m sure you all know: don’t fuck with a hacker’s machine! Thank you!
1 Keychain – password management system in Mac OS.