After 9/11, a clever MIT undergrad grabbed some form of alqaeda.net. Any email sent to the address went to the corresponding @mit.edu email address. You could email [email protected], and it'd arrive at [email protected].
Undergrads sent emails like that for the lols. Recipients got freaked out they'd end up on some government watch list.
This is true of crypto wallets and NFTs as well. More than one project has attempted to send NFTs or assets to high profile wallets (ex: trillions of dog-coins sent to Vitalik's wallet that he ultimately donated to get rid of but not before drawing the intended media attention[1]) and the whole concept of airdrops is based around the idea of permissionless receiving.
Unfortunately, re: swatting via an non-tech-savy LEA and domain registrars: you could likely just update the contact details on a domain you own to the intended target and that'd probably be enough.
Yes. Someone owns the location that's the "center of the United States" for broken IP address lookups. MaxMind gave 38 north, 97 west as the default location for 600 million IP addresses. It's a farm in Kansas.[1] MaxMind did that for 14 years. The farm was regularly visited by law enforcement, looking for various people.
The NFT can also be a program that when you try to move the token or interact with it in any way, it can do things such as transferring funds to another wallet.
'Uncle Milton Industries has been selling ant farms to children since 1956. Some years ago, I remember opening one up with a friend. There were no actual ants included in the box. Instead, there was a card that you filled in with your address, and the company would mail you some ants. My friend expressed surprise that you could get ants sent to you in the mail.
I replied: “What’s really interesting is that these people will send a tube of live ants to anyone you tell them to.”'
Since you're being modest, I'll follow with the relevant article of yours that I was going to take that quote from: https://www.gwern.net/Unseeing
(A collection of musings on the difference in mindset between "Moving the domain to a friend is okay" and "Wait, you can move the domain to anyone? How do you not see the issue with that?")
This feels plausible but if someone wanted to SWAT someone ... there's probably other / likely easier ways to do it.
Having to registrar a domain, come up with some content, or just point the domain at some content ... then transfer it ... and then make a big deal out of it (getting attention is hard) and hoping nobody notices the easy to prove explanation that "someone transferred this to me" ... and avoiding getting caught seems like a big ordeal.
The story here is "hey random guy also hosts horrible stuff at his domain that he registered in his own name ... well he did". Maybe some folks run with that, but I'm not so so sure.
The mechanism here seems "easy" on the surface, but actually rather complicated, and odds of success seems low.
1. Somehow you get the IP address of the target maybe by playing a game with them (which can be p2p) or some other way of getting the IP address and then geolocating (this can partially be avoided by using a VPN
2. If someone is live-streaming outside in the real world you recognize where the person is.
I haven't heard of someone being SWATed by a nefarious actor inside a company and never really a domain probably because you either purchased some protection plan to avoid spam so that if someone looks you up on the domain they won't find any information and also most people don't self host things using their own domain.
With that said that doesn't mean it is impossible to occur.
For example Krebs on security has had SWATing attempts due to the content he posts. If you aren't live-streaming video games or doing IRL posts and or not reporting on bad actors you should consider other things to worry about.
I tend to agree. There are certainly potential bad outcomes but a lot of it boils down to SWATing and there are almost certainly easier and less traceable ways to SWAT someone. And getting attention on Twitter or whatnot presumably means getting the attention of people who can quickly determine that something is amiss.
ADDED: While this process should probably be fixed in this case, at the end of the day, there's probably no foolproof way to keep people from sending you illegal stuff in either the physical or digital world in general.
Tangentially related, but we stepped on a rake by forwarding spam and malware emails to [email protected].
These morons got our poor mail server blacklisted in some super-exotic way that required several days of escalations to sort out. Moreover, they did it more than once, several months apart, each time causing a week of non-deliverability problems, and it took us a damn long while to add 1 and 1 to see why it was happening. Stopped reporting the abuse to them after that and all is good now.
> 1.2 "Designated Agent" means an individual or entity that the Prior Registrant or New Registrant explicitly authorizes to approve a Change of Registrant on its behalf.
Unless there is some other mechanism for preventing the Registrar from also being Designated Agent, it might be that R has terms in its EULA where registrants agree that R is also Designated Agent.
Unless things have changed, this isn't an issue with any particular registrar, you can put anyone's contact info in for the WHOIS information. In fact, just not having your name in the WHOIS won't help with the SWAT problem. Someone could just as easily create any website and just say they are you. I haven't talked to a SWAT team member in quite a while, but I still doubt they're very adept at looking up HWOIS information. I think it'd suffice to say that if anyone creates a website that says "I am ..., this is my plan to commit some serious crime". You're probably getting a visit, rather than an assumption that it's a spoof just because the WHOIS info doesn't match.
Being able to send people things without their approval is a problem on all sorts of things across the internet.
Spam email is the most common, but the same problem exists for people sharing things in Google Drive.
I had a password manager application that allowed you to share password entries to anyone else who has an account with that password manager company. The app/site actually did require you to approve the incoming entries, but didn't let you know what was in them, how many there were, etc.
I was wondering about this with regards to bitcoin and other crypto currencies (which also have no way to choose whether or not to receive something sent to you). Surely someone could do some crime with coins in a certain wallet, and then transfer them to you; your wallet now contains illegal money and you don't really have a way to prove that you weren't involved.
Because if you look at GoDaddy (probably R) domains that are "privacy protected" you see the registrant is actually "Domains By Proxy, LLC" and switching that domain to another GoDaddy account would be invisible on the whois system.
That's to the public whois system, sure. But LEAs could still obtain court orders to get the actual contact information for the domain owner; registrars are legally mandated to maintain that information, and customers are expected to keep that up to date.
But you can elect not to have your domain privacy protected. And if a bad actor is trying to grief another person they could list out their entire address, email, phone etc in the public WHOIS then transfer it over to them to create the "ultimate smoking gun".
> You could instead just tell R, but I can’t really imagine a scenario where even a great tech support person would both understand the problem and be able to get it to the right people on their legal team in an reliable fashion.”
That depends…. with the right R I could see it. The tech person I interact with (rarely) at nearlyfreespeech.net deeply gets it — tech, business, legal. I doubt he’s a lawyer of course, but expect he knows when to get them involved. Probably the owner of the whole operation, if I had to guess.
And yes I realize they are probably just front ending for the real registrar, but to me they are effectively the registrar; not here to argue about that.
This is true of real estate titles in many jurisdictions, too. You can quit claim a property to anyone without their consent, and then from that point on they are on the hook for property taxes, compliance with title covenants, etc.
I've been calling this kind of thing a "reputation attack". They come in all sorts of shapes.
Here's a common one: a platform allows you to create teams and invite other users to be members of those teams. The teams that a user is a member of are shown on their profile.
Someone could create a team called "Paid up members of the Nazi party" and add people as members!
That's why it's crucial to have a "accept invitation" step if you build anything like this.
Getting a lot of press these days is the similar thing where you can transfer an NFT to someone's wallet without their permission.
Just did this at another well known registrar, two clicks and my friend transferred 8 domains to me without much in the way of checks. Crazy to think of but here we are.
This feels a lot like complaining anyone can send you mail. I can send anyone anything provided I know their name and address. Even illicit materials. Or illegal materials. I don't even have to provide my real name. Or address. I can make it look like anyone is a criminal. Muahahahaha.
Did they reset the DNS information? Because that's all that's really needed to prevent the sort of weird malicious behavior he's describing.
It really doesn't take much for a motivated person to destroy another person's life. People get away with that all the time. Why is it hard to believe there is yet another way to do it?
Tangentially related, now that SWAT'ing is a known-problem, is it possible to contact local law enforcement and forewarn them "Hey, I think I'm at high risk of being SWATed" such that if they receive a call they do some extra diligence to verify? (Like, for example, call you before dispatching.)
Yes. I'm sure it works better in some locations and worse in others, but I know at least a few people who have proactively called law enforcement agencies about being a high probability target of SWATing and related activities.
I mean, this is why we have due process and a trial, right? At which you can present evidence that you didn't purchase the domain. Probably it wouldn't even get that far.
Unless the LEA or the judge are savvy enough, a warrant might be issued allowing police to raid your house and seize all your computer equipment.
If that happens, you'll get arrested in front of at least some of your neighbors, who might also find out why you were arrested. (Even some of the local cops might think you're just getting away on a technicality.) Eventually being found innocent or not charged may not matter to some of them.
You will be in jail, at least for a while. You now have an arrest record. When people ask, "Have you ever been arrested," the answer will be "Yes." You might lose your job.
Your computer equipment will be seized and police will go through it. It'll be used against you in and out of court—even things that are legal—if they think it makes you look bad or will get you to talk. Getting that equipment back after charges are dropped or you are found innocent in court may or may not be slow and byzantine.
You will need to pay a lawyer, both to defend yourself, and to help you get your equipment back.
Well sure, if you are sufficiently privileged to warrant getting a polite knock on the door rather than an amped up heavily armed borderline hit squad kicking your door in.
It's also worth noting that the author specifically called out in the article that the concern here is SWATing which has become such a notorious problem in some circles that the concept has made it into mainstream TV shows covering the practice.
Due process only counts when it's uniformly available, and there is ample evidence in the United States, and other countries that have similar policy, that the effectiveness of civil rights protections varies widely by economic status and ethnicity.
The point of swatting isn't to get someone convicted, it's to get the police to harass someone.
Have you ever seen a no-knock raid? It happened to a house 5 houses down from where I live. They broke down the door and threw a couple of flash-bangs inside. Even from 5 houses away with all doors and windows closed, I could have sworn someone just fired off a cannon. Pretty sure they won't be fixing or paying for any damages either.
No reason to worry. After this page topped HN all the SWAT teams will be overwhelmed and when they get to your house in 10 years you probably will already have moved.
> These days, one would hope LEA officers would at least look at who owns the domain name, but you just said that the registrar transferred it to you and changed the WHOIS data to use your full name and address.
I started to write a comment about how horribly optimistic this is but then I thought about it some more.
If it is indeed "Local" police you are probably screwed. They have zero understanding of the internet/tech and even people in positions with titles like "Cyber security" at your local station are probably just cops that got promoted into that role and have very little to zero understanding. Every interaction with my local cops w.r.t. technology has been painful and fruitless.
Of course this assumes they would follow up on it in the first place. My LEA outright refused to lift a finger with a harassment case even when provided step by step instructions (and we knew who was behind it) on how to request information from the company the harasser was using (throwaway phone numbers). That said, maybe an instance like the author describes would get them off their butts.
If it goes up to a federal level then maybe they would understand the nuance of domain transfers but not before kicking in you door.
[+] [-] blip54321|3 years ago|reply
Undergrads sent emails like that for the lols. Recipients got freaked out they'd end up on some government watch list.
[+] [-] thesausageking|3 years ago|reply
https://www.gawker.com/the-words-that-will-get-you-in-troubl...
[+] [-] quartz|3 years ago|reply
Unfortunately, re: swatting via an non-tech-savy LEA and domain registrars: you could likely just update the contact details on a domain you own to the intended target and that'd probably be enough.
[1] https://www.coindesk.com/markets/2021/10/20/vitalik-buterin-...
[+] [-] Animats|3 years ago|reply
Yes. Someone owns the location that's the "center of the United States" for broken IP address lookups. MaxMind gave 38 north, 97 west as the default location for 600 million IP addresses. It's a farm in Kansas.[1] MaxMind did that for 14 years. The farm was regularly visited by law enforcement, looking for various people.
[1] https://web.archive.org/web/20160817013603/http://fusion.net...
[+] [-] WalterSear|3 years ago|reply
[+] [-] TremendousJudge|3 years ago|reply
[+] [-] jonny_eh|3 years ago|reply
[+] [-] gwern|3 years ago|reply
'Uncle Milton Industries has been selling ant farms to children since 1956. Some years ago, I remember opening one up with a friend. There were no actual ants included in the box. Instead, there was a card that you filled in with your address, and the company would mail you some ants. My friend expressed surprise that you could get ants sent to you in the mail.
I replied: “What’s really interesting is that these people will send a tube of live ants to anyone you tell them to.”'
[+] [-] tomcatfish|3 years ago|reply
(A collection of musings on the difference in mindset between "Moving the domain to a friend is okay" and "Wait, you can move the domain to anyone? How do you not see the issue with that?")
[+] [-] zeckalpha|3 years ago|reply
[+] [-] duxup|3 years ago|reply
Having to registrar a domain, come up with some content, or just point the domain at some content ... then transfer it ... and then make a big deal out of it (getting attention is hard) and hoping nobody notices the easy to prove explanation that "someone transferred this to me" ... and avoiding getting caught seems like a big ordeal.
The story here is "hey random guy also hosts horrible stuff at his domain that he registered in his own name ... well he did". Maybe some folks run with that, but I'm not so so sure.
The mechanism here seems "easy" on the surface, but actually rather complicated, and odds of success seems low.
[+] [-] zitterbewegung|3 years ago|reply
1. Somehow you get the IP address of the target maybe by playing a game with them (which can be p2p) or some other way of getting the IP address and then geolocating (this can partially be avoided by using a VPN 2. If someone is live-streaming outside in the real world you recognize where the person is.
I haven't heard of someone being SWATed by a nefarious actor inside a company and never really a domain probably because you either purchased some protection plan to avoid spam so that if someone looks you up on the domain they won't find any information and also most people don't self host things using their own domain.
With that said that doesn't mean it is impossible to occur. For example Krebs on security has had SWATing attempts due to the content he posts. If you aren't live-streaming video games or doing IRL posts and or not reporting on bad actors you should consider other things to worry about.
[+] [-] ghaff|3 years ago|reply
ADDED: While this process should probably be fixed in this case, at the end of the day, there's probably no foolproof way to keep people from sending you illegal stuff in either the physical or digital world in general.
[+] [-] abcd_f|3 years ago|reply
These morons got our poor mail server blacklisted in some super-exotic way that required several days of escalations to sort out. Moreover, they did it more than once, several months apart, each time causing a week of non-deliverability problems, and it took us a damn long while to add 1 and 1 to see why it was happening. Stopped reporting the abuse to them after that and all is good now.
[+] [-] cgriswald|3 years ago|reply
> 1.2 "Designated Agent" means an individual or entity that the Prior Registrant or New Registrant explicitly authorizes to approve a Change of Registrant on its behalf.
Unless there is some other mechanism for preventing the Registrar from also being Designated Agent, it might be that R has terms in its EULA where registrants agree that R is also Designated Agent.
[+] [-] gmiller123456|3 years ago|reply
[+] [-] justin_oaks|3 years ago|reply
Spam email is the most common, but the same problem exists for people sharing things in Google Drive.
I had a password manager application that allowed you to share password entries to anyone else who has an account with that password manager company. The app/site actually did require you to approve the incoming entries, but didn't let you know what was in them, how many there were, etc.
[+] [-] skykooler|3 years ago|reply
[+] [-] bombcar|3 years ago|reply
Because if you look at GoDaddy (probably R) domains that are "privacy protected" you see the registrant is actually "Domains By Proxy, LLC" and switching that domain to another GoDaddy account would be invisible on the whois system.
[+] [-] Bytewave81|3 years ago|reply
[+] [-] dotBen|3 years ago|reply
[+] [-] albert_e|3 years ago|reply
There are available for $5 per year but need to publicly show your details
[+] [-] gwbas1c|3 years ago|reply
What's more frustrating is when software designers / product managers / business-ey people forget that "we can't trust people."
[+] [-] userbinator|3 years ago|reply
[+] [-] natch|3 years ago|reply
That depends…. with the right R I could see it. The tech person I interact with (rarely) at nearlyfreespeech.net deeply gets it — tech, business, legal. I doubt he’s a lawyer of course, but expect he knows when to get them involved. Probably the owner of the whole operation, if I had to guess.
And yes I realize they are probably just front ending for the real registrar, but to me they are effectively the registrar; not here to argue about that.
[+] [-] greyface-|3 years ago|reply
[+] [-] simonw|3 years ago|reply
Here's a common one: a platform allows you to create teams and invite other users to be members of those teams. The teams that a user is a member of are shown on their profile.
Someone could create a team called "Paid up members of the Nazi party" and add people as members!
That's why it's crucial to have a "accept invitation" step if you build anything like this.
Getting a lot of press these days is the similar thing where you can transfer an NFT to someone's wallet without their permission.
[+] [-] unknown|3 years ago|reply
[deleted]
[+] [-] ianbutler|3 years ago|reply
[+] [-] bena|3 years ago|reply
Did they reset the DNS information? Because that's all that's really needed to prevent the sort of weird malicious behavior he's describing.
[+] [-] namaria|3 years ago|reply
[+] [-] javajosh|3 years ago|reply
[+] [-] FemmeAndroid|3 years ago|reply
[+] [-] nicoburns|3 years ago|reply
[+] [-] cgriswald|3 years ago|reply
If that happens, you'll get arrested in front of at least some of your neighbors, who might also find out why you were arrested. (Even some of the local cops might think you're just getting away on a technicality.) Eventually being found innocent or not charged may not matter to some of them.
You will be in jail, at least for a while. You now have an arrest record. When people ask, "Have you ever been arrested," the answer will be "Yes." You might lose your job.
Your computer equipment will be seized and police will go through it. It'll be used against you in and out of court—even things that are legal—if they think it makes you look bad or will get you to talk. Getting that equipment back after charges are dropped or you are found innocent in court may or may not be slow and byzantine.
You will need to pay a lawyer, both to defend yourself, and to help you get your equipment back.
...
[+] [-] akersten|3 years ago|reply
[+] [-] ygjb|3 years ago|reply
It's also worth noting that the author specifically called out in the article that the concern here is SWATing which has become such a notorious problem in some circles that the concept has made it into mainstream TV shows covering the practice.
Due process only counts when it's uniformly available, and there is ample evidence in the United States, and other countries that have similar policy, that the effectiveness of civil rights protections varies widely by economic status and ethnicity.
[+] [-] teakettle42|3 years ago|reply
Good luck with that.
Even on completely spurious charges, you’ll spend time in jail, spend tens of thousands on legal fees, and spend months of your life sweating bullets.
Afterwards, you won’t even be able to sue the police thanks to qualified immunity.
[+] [-] usefulcat|3 years ago|reply
Have you ever seen a no-knock raid? It happened to a house 5 houses down from where I live. They broke down the door and threw a couple of flash-bangs inside. Even from 5 houses away with all doors and windows closed, I could have sworn someone just fired off a cannon. Pretty sure they won't be fixing or paying for any damages either.
[+] [-] inetsee|3 years ago|reply
[+] [-] dmd|3 years ago|reply
[+] [-] neves|3 years ago|reply
[+] [-] joshstrange|3 years ago|reply
I started to write a comment about how horribly optimistic this is but then I thought about it some more.
If it is indeed "Local" police you are probably screwed. They have zero understanding of the internet/tech and even people in positions with titles like "Cyber security" at your local station are probably just cops that got promoted into that role and have very little to zero understanding. Every interaction with my local cops w.r.t. technology has been painful and fruitless.
Of course this assumes they would follow up on it in the first place. My LEA outright refused to lift a finger with a harassment case even when provided step by step instructions (and we knew who was behind it) on how to request information from the company the harasser was using (throwaway phone numbers). That said, maybe an instance like the author describes would get them off their butts.
If it goes up to a federal level then maybe they would understand the nuance of domain transfers but not before kicking in you door.