Jump to content
Search In
  • More options...
Find results that contain...
Find results in...
Steeveeo

They will find you...with the internet.

Recommended Posts

About 2 weeks ago, Deputy Matt Roberson of the Howard County Sheriff's department hunted down a wanted fugitive drug dealer, Alfred Hightower. But how did Roberson track down Hightower? Using his World of Warcraft account, obviously!

“I received information from a childhood friend, who tells me the guy is in Canada,” said Roberson. “I held onto the information in the back of my head. I spoke to the marshals and asked if we could confirm the guy’s location, would they help us get him? They indicated that they would.”


So somehow Roberson's childhood friend knows that Hightower skipped the country, I wont even guess how, so Roberson calls up the US Marshals to help out.

“We received information that this guy was a regular player of an online game, which was referred to as ‘some warlock and witches’ game,” said Roberson. “None of that information was sound enough to pursue on its own, but putting everything we had together gave me enough evidence to send a subpoena to Blizzard Entertainment. I knew exactly what he was playing — World of Warcraft. I used to play it. It’s one of the largest online games in the world.”

[..]

Roberson’s subpoena was nothing more than a politely worded request, considering the limits of his law enforcement jurisdiction and the ambiguity of the online world.

“They don’t have to respond to us, and I was under the assumption that they wouldn’t,” said Roberson. “It had been three or four months since I had sent the subpoena. I just put it in the back of my mind and went on to do other things. Then I finally got a response from them. They sent me a package of information. They were very cooperative. It was nice that they were that willing to provide information.”


It's nice to hear that a corporation like Blizzard actually cares and listens to requests on matters like this, especially considering the fact that the entire thing is online, the "Grey Area" of the law. But he got his information, and apparently much more:

Blizzard did more than cooperate. It gave Roberson everything he needed to track down Hightower, including his IP address, his account information and history, his billing address, and even his online screen name and preferred server. From there it was a simple matter to zero in on the suspect’s location.

“I did a search off the IP address to locate him,” said Roberson. “I got a longitude and latitude. Then I went to Google Earth. It works wonders. It uses longitude and latitude. Boom! I had an address. I was not able to go streetside at the location, but I had him.”


Yes, you read correctly; Roberson searched the IP address and got a full longitude and latitude location for Hightower's house. To me that sounds like something right out of CSI. It also amazes me that a wanted criminal with a World of Warcraft addiction wouldn't even bother to use something as simple as an anonymous proxy to at least play with a little security in his favorite game [Note: I do not play WoW, so I do not know if anonymous proxies are blocked by default].

The internets are no longer safe for all you criminals out there, not even Canada will save you!

(Source)

Share this post


Link to post

Geolocation by IP has it's limitations. This site say's I'm in Melbourne, before switching ISP's it placed me in Devonport. :D
I've no doubt that in either case an official request for information from my ISP (specifying when I was using the IP address) would quickly resolve that to my street address in Hobart.

Share this post


Link to post

Yeah, I'm pretty sure finding a location based on IP only resolves to the ISP's location. That website GreyGhost posted has me in Salt Lake City, when I'm about a 50 minute drive (and many cities) from there.

The article does mention Blizzard gave a billing address, and I assume that would have yielded better results unless it was a fake one.

Share this post


Link to post

“We received information that this guy was a regular player of an online game, which was referred to as ‘some warlock and witches’ game,” said Roberson.


O...k...that smells of adequacy.org to me.

Share this post


Link to post

Not everybody knows everything about every online RPG, you know. Especially not cops with a job to do.

If i had to describe somebody who regularly played online RPG's, even in an official statement, i'd probably use the phrase "stinking, barely-literate scum"

Share this post


Link to post

GreyGhost and Nomad are correct, geolocating the IP would have led roughly to the ISP's location.

That being said, Blizzard supplied the guy's billing address, and it's not like they couldn't rock up to the ISP and say "Hi, we're actual cops and we're looking for the user of this IP" and get his home address too.

Share this post


Link to post

http://coolrom.com/forums/showthread.php?t=15268


Especially if your ISP is aptly named "Alaska Communications" or something to the effect.

Share this post


Link to post

Dynamic IP's, FTW.

At least with dial-up and DSL static IPs for household users are very uncommon and you must pay a premium/specifically request them by contract, so figuring out one's IP is only valid within a time window of anything from a few days down to a few minutes. I can get a new IP just by rebooting my router. Dunno if Cable modem contracts are only given with a static IP, though.

OK, by pushing some buttons here and there you can ass an ISP to bother checking which user used IP X during time frame Y, but that's a far cry from holding one by the balls just by having figured out his current IP.

Share this post


Link to post
Maes said:

Dynamic IP's, FTW.

At least with dial-up and DSL static IPs for household users are very uncommon and you must pay a premium/specifically request them by contract, so figuring out one's IP is only valid within a time window of anything from a few days down to a few minutes. I can get a new IP just by rebooting my router. Dunno if Cable modem contracts are only given with a static IP, though.


On DSL you can easily have the same IP for months. It will generally remain constant as long as your connection does. And it doesn't matter if it changes. All it shows is your ISP. Same for dial-up. You're just as screwed. If you have a static IP the ISP can easily trace your account. With a dynamic IP they can probably do it most of the time anyway.

It is rather disturbing that Blizzard is so happy to give up information without a subpoena. Impersonating the cops isn't that hard to do and cops are known for abusing their power.

Share this post


Link to post
Aliotroph? said:

On DSL you can easily have the same IP for months. It will generally remain constant as long as your connection does. And it doesn't matter if it changes. All it shows is your ISP. Same for dial-up. You're just as screwed. If you have a static IP the ISP can easily trace your account. With a dynamic IP they can probably do it most of the time anyway.


The ISPs know perfectly well what's going on in their network (or at least they can, potentially).

Logging every packet for every user of a large ISP has a few associated costs, and that's an understatement. If they weren't legally required to log and withhold some information, no ISP would bother logging anything: less work to do, less shit to maintain, etc. : simpler is better. They could just turn on a bunch of routers, swtiches and kick back on their swivel chairs, so to speak, if there weren't "cybercrime" laws requiring them to keep logs.

Matching accounts and IPs is trivial if they're static for any meaningful long term. Dynamic IPs that can change at every router reboot (my ISP specifies a maximum inactive IP lease time of 24 hours) require keeping a database -ok, not horribly hard to do, but still more work for the ISP-. And then there are anonymous dial-up services: IPs are entirely dynamic, there's no traceable account (unless you also ass the telephone company to give out line information, but even then there are public places etc.)

Share this post


Link to post
Aliotroph? said:

It is rather disturbing that Blizzard is so happy to give up information without a subpoena.

Except they did issue Blizzard with a subpoena.

Maes said:

Dynamic IPs that can change at every router reboot (my ISP specifies a maximum inactive IP lease time of 24 hours) require keeping a database -ok, not horribly hard to do, but still more work for the ISP-.

RADIUS logging, look into it.

If they weren't legally required to log and withhold some information, no ISP would bother logging anything: less work to do, less shit to maintain, etc. : simpler is better.

Whilst I agree with you that simpler is better, logging has incredible benefits to the functionality of the service an ISP provides and at the very least is essential for troubleshooting. I would be surprised if there was any ISP out there which wouldn't keep logs of most things even if the law didn't require them to.

Share this post


Link to post
Super Jamie said:

I would be surprised if there was any ISP out there which wouldn't keep logs of most things even if the law didn't require them to.


Seeing how most software (especially web/server-class) generates anal logs for pretty much anything, that's a given. You can't "run out" of technical logs even if you wanted to so events like IP assignments, disconnections, excessive bandwidth usage, packet hammering, attacks, internal errors etc. will not go unnoticed. As long as it helps internal troubleshooting (and the software does it anyway), it's not a burden.

However actually logging traffic and inspecting packets is another thing, which has little to offer to the ISP itself (unless under some form of serious attack via malformed packets). With the ease of IP/MAC spoofing, you really need to find evidence of any offending data actually being moved. However the case with the Blizzard account was far less esoteric in nature: it was pretty much like someone ratting you out for using a particular computer at an internet cafe during time X and Y.

Share this post


Link to post
Maes said:

However actually logging traffic and inspecting packets is another thing, which has little to offer to the ISP itself (unless under some form of serious attack via malformed packets). With the ease of IP/MAC spoofing, you really need to find evidence of any offending data actually being moved.

I think you will find that traffic logging can be exceptionally helpful for troubleshooting things "like IP assignments, disconnections, excessive bandwidth usage, packet hammering, attacks, internal errors". I have used it many times myself to discover issues on a connection which otherwise looked perfectly fine.

You can also use it to retroactively investigate what protocols are going over your network so you know what to prioritise to keep your subscribers happy, you can look into where your traffic is going to/from so you can investigate different peering agreements to save yourself money on upstream bandwidth, you can investigate how much traffic the majority of your users are actually doing to develop pricing structures to keep yourself relevant in the market and that's just a few examples.

As for the storage it takes up, Cisco Netflow of EVERYTHING takes about 1Tb per 2500 subscribers per month. Considering you could store this on consumer-grade drives (as it's not business critical) in a SAS array you'd be looking at <5c per subscriber per month to keep it. Not exactly a huge overhead. Of course, nobody needs to know that Maes searched for "boobies" on Google seven years ago but keeping at least some traffic logs temporarily can be a huge help.

You can never log enough. The challenge comes in using fast and precise tools to extract meaningful data from those logs, presenting it in a fashion understandable to people, and thinking of new ways to mine that data to give yourself an advantage of some kind.

Share this post


Link to post
Aliotroph? said:

On DSL you can easily have the same IP for months. It will generally remain constant as long as your connection does.

So true - before my old ISP upgraded their DHCP servers my dynamic IP typically changed once or twice a year. Might have been different if my wireless router wasn't on 24/7.

Share this post


Link to post
GreyGhost said:

So true - before my old ISP upgraded their DHCP servers my dynamic IP typically changed once or twice a year. Might have been different if my wireless router wasn't on 24/7.


Hmm, I never got a practical lease time longer than a week, even without turning my router off. The ISPs here auto-disconnect/restart their DSLAMs so often that during any long (more than 12 hours) inactivity period you're pretty much guaranteed to lose your IP, as apparently no effort goes towards re-allocating you the same IP upon reconnection. At least that's what the local ISPs do over here.

Share this post


Link to post

Over the last three years - according to the connection logs I've methodically copy/pasted - my longest lease time between "Normal Terminations" was 1081:56 hours (45 days). OTOH - on 16-May-2007 the server had a major fit and I was disconnected ten times in the space of two hours, spent more time off-line than on!

The old DHCP server predated the merger with another ISP and might have been less crowded than it's replacement or had a different lease renewal policy.

Share this post


Link to post

Anyway, it's a well-known fact that anonymity on the Internet is short lived and fragile, given a determined opponent.

OTOH, there's a lot of -perhaps deliberate- media sensationalism whenever someone is busted due to/via the Internet/his cell phone/a phone booth/whatever, greatly exaggerating the swiftness and directness with which the detection and arrest took place out of the blue.

This helps perpetrating the notion that detection -and punishment- is swift, inescapable, and infallible.

What they usually don't tell you is that there usually is a lot of preliminary investigation, a lot of trial and error, and that it takes way more resources and mobilizing people (including telcos, ISPs, lawyers, consultants, specialists etc.) than a single, zealous "cybercop" to make "the bust" and the the ones busted were usually under extensive surveillance/investigation for some time anyway.

Share this post


Link to post
Super Jamie said:

Jesus Christ dude, get DD-WRT and a syslog server.

Meh - where DD-WRT is concerned, my NetComm router is an unknown quantity. It should be compatible, having a Broadcom chipset and 4MB Flash - HOWEVER - I'd have to risk bricking it to find out. :(

Until now I've let my ISP do the logging then copy/paste from their records more-or-less monthly.

Share this post


Link to post
Maes said:

Dammit, Jamie. I thought you'd suggest a $8000 Cisco, the very least.

They are good for businesses and I am loathe to let anything less on one of our work connections, but they're unfeasible for home stuff.

Actually my own DSL modem at my house died just before Christmas, I borrowed an 877W from work which is worth about $700. I couldn't be fucked reconfiguring my whole LAN so I just put it in bridge mode and kept PPPoE and wireless on my WRT, making the 877 the most expensive modem ever :P

Share this post


Link to post

A real router will have a packet destroyer on it destroying and delaying packets at random just to show how leet and extreme you are.

Share this post


Link to post
Super Jamie said:

There is no Netcomm that will run DD-WRT. Get a real router :)

Spending money to replace something that's not broken! My Scottish forefathers would not approve. :P

Share this post


Link to post
Super Jamie said:

88 bucks for a Linksys G? PAH! I got the same exact router for $25 over Newegg.

Of course then I moved out and into an apartment stuck with a fracking Belkin that boots us every 20 minutes.

Share this post


Link to post

I lol'ed it :D


Well then, if I was a WoW player, and searched by the police, I would play in a pirated server, of course.

I don't know if the US cops are brilhant, or if that guy is a great retard. :P

Share this post


Link to post
Aliotroph? said:

It is rather disturbing that Blizzard is so happy to give up information without a subpoena.


Lolz. If you read it, they DID issue a subpoena and it says they didn't actually expect them to comply in the first place.

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×