Anonymous Threats
Our local community has recently had threats where the user has a FaceBook profile and is threatening the schools, and several surrounding schools, saying he is going to shoot everyone and blow them up... This is an investigation, but it is getting out of hand. Several police/FBI raids, but yielded no results, and/or did not catch the right person. He/she is taunting them, local and federal. I would ASSUME he is using some sort of proxy/anonymizer such as TOR or something similar. Is there any way to sniff for that type of traffic on my network? I want to make sure that they are not using us as the source. Any thoughts on how to catch this person? Even if it isn't us, and it is somewhere else I would like to put a stop to it. Preferably off-list if you do respond... Thanks in advance. Eric Rogers www.pdsconnect.me (317) 831-3000 x200
Even if you find somebody running TOR, you can't see inside it. They also could simply be running an exit node, or $reason. On Jan 10, 2016 5:02 PM, "Eric Rogers" <ecrogers@precisionds.com> wrote:
Our local community has recently had threats where the user has a FaceBook profile and is threatening the schools, and several surrounding schools, saying he is going to shoot everyone and blow them up... This is an investigation, but it is getting out of hand. Several police/FBI raids, but yielded no results, and/or did not catch the right person. He/she is taunting them, local and federal.
I would ASSUME he is using some sort of proxy/anonymizer such as TOR or something similar. Is there any way to sniff for that type of traffic on my network? I want to make sure that they are not using us as the source.
Any thoughts on how to catch this person? Even if it isn't us, and it is somewhere else I would like to put a stop to it. Preferably off-list if you do respond...
Thanks in advance.
Eric Rogers
www.pdsconnect.me
(317) 831-3000 x200
I think if the FBI wants your help, they'll let you know. In the meantime, I would probably avoid anything that looked like you are spying on your customers, especially if you are explicitly targeting customers who are attempting to anonymize their traffic (for whatever reason). No matter how well intentioned. I can see a number of downsides... But in simple terms, if its Facebook, its HTTPS, and seems you are basically done there. Regardless what anonymous transport they use, you wouldn't be able to see what they are up to... On Jan 10, 2016 6:14 PM, "Josh Reynolds" <josh@kyneticwifi.com> wrote:
Even if you find somebody running TOR, you can't see inside it. They also could simply be running an exit node, or $reason. On Jan 10, 2016 5:02 PM, "Eric Rogers" <ecrogers@precisionds.com> wrote:
Our local community has recently had threats where the user has a FaceBook profile and is threatening the schools, and several surrounding schools, saying he is going to shoot everyone and blow them up... This is an investigation, but it is getting out of hand. Several police/FBI raids, but yielded no results, and/or did not catch the right person. He/she is taunting them, local and federal.
I would ASSUME he is using some sort of proxy/anonymizer such as TOR or something similar. Is there any way to sniff for that type of traffic on my network? I want to make sure that they are not using us as the source.
Any thoughts on how to catch this person? Even if it isn't us, and it is somewhere else I would like to put a stop to it. Preferably off-list if you do respond...
Thanks in advance.
Eric Rogers
www.pdsconnect.me
(317) 831-3000 x200
Report it to the authorities and trust that they can handle it,..no matter how difficult that is. Remember your place that you are just the admin/operator and not the hero. If they need your help, law enforcement will ask for it. Sucks but what would you do if you found his IP address? Go to his house? No matter what, law enforcement needs to own the problem. Thanks, Scott On Sunday, January 10, 2016, Notmatt Pleaseignore <networkhood@gmail.com> wrote:
I think if the FBI wants your help, they'll let you know.
In the meantime, I would probably avoid anything that looked like you are spying on your customers, especially if you are explicitly targeting customers who are attempting to anonymize their traffic (for whatever reason). No matter how well intentioned. I can see a number of downsides...
But in simple terms, if its Facebook, its HTTPS, and seems you are basically done there. Regardless what anonymous transport they use, you wouldn't be able to see what they are up to... On Jan 10, 2016 6:14 PM, "Josh Reynolds" <josh@kyneticwifi.com <javascript:;>> wrote:
Even if you find somebody running TOR, you can't see inside it. They also could simply be running an exit node, or $reason. On Jan 10, 2016 5:02 PM, "Eric Rogers" <ecrogers@precisionds.com <javascript:;>> wrote:
Our local community has recently had threats where the user has a FaceBook profile and is threatening the schools, and several surrounding schools, saying he is going to shoot everyone and blow them up... This is an investigation, but it is getting out of hand. Several police/FBI raids, but yielded no results, and/or did not catch the right person. He/she is taunting them, local and federal.
I would ASSUME he is using some sort of proxy/anonymizer such as TOR or something similar. Is there any way to sniff for that type of traffic on my network? I want to make sure that they are not using us as the source.
Any thoughts on how to catch this person? Even if it isn't us, and it is somewhere else I would like to put a stop to it. Preferably off-list if you do respond...
Thanks in advance.
Eric Rogers
www.pdsconnect.me
(317) 831-3000 x200
-- Scott
Thank you for all that have responded, and this response has been the majority, to leave well enough alone. I guess I was hoping that maybe I could offer a new way to help narrow this search down. It has been extremely frustrating to see someone so blatantly cocky in how he is taunting the authorities, yet threaten people's lives...this person is taking pictures of "intended targets" and their young children saying "maybe they won't make it home tonight" and much, much worse...I have reached out to local authorities to offer any help, and I haven't had any response, so at this point I am not going to do anything to slow or interfere with any investigation... this person needs caught. As a secondary, I was thinking that by looking at the type of traffic, by using a sniffer/IDS or some mechanism to generate a list of possible users so if authorities came knocking I could help them ask for the correct information for a warrant. My personal guess is that they are not from this area, possibly overseas from the US and using proxies that are nearby the target community. That means any looking into my network won't do any good except find any "exit nodes" in the TOR world, but there are several other ways to do the same thing, and too many to keep up. Eric Rogers PDS Connect www.pdsconnect.me (317) 831-3000 x200 -----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Scott Fisher Sent: Sunday, January 10, 2016 8:30 PM To: Notmatt Pleaseignore Cc: NANOG Subject: Re: Anonymous Threats Report it to the authorities and trust that they can handle it,..no matter how difficult that is. Remember your place that you are just the admin/operator and not the hero. If they need your help, law enforcement will ask for it. Sucks but what would you do if you found his IP address? Go to his house? No matter what, law enforcement needs to own the problem. Thanks, Scott On Sunday, January 10, 2016, Notmatt Pleaseignore <networkhood@gmail.com> wrote:
I think if the FBI wants your help, they'll let you know.
In the meantime, I would probably avoid anything that looked like you are spying on your customers, especially if you are explicitly targeting customers who are attempting to anonymize their traffic (for whatever reason). No matter how well intentioned. I can see a number of downsides...
But in simple terms, if its Facebook, its HTTPS, and seems you are basically done there. Regardless what anonymous transport they use, you wouldn't be able to see what they are up to... On Jan 10, 2016 6:14 PM, "Josh Reynolds" <josh@kyneticwifi.com <javascript:;>> wrote:
Even if you find somebody running TOR, you can't see inside it. They also could simply be running an exit node, or $reason. On Jan 10, 2016 5:02 PM, "Eric Rogers" <ecrogers@precisionds.com <javascript:;>> wrote:
Our local community has recently had threats where the user has a FaceBook profile and is threatening the schools, and several surrounding schools, saying he is going to shoot everyone and blow them up... This is an investigation, but it is getting out of hand. Several police/FBI raids, but yielded no results, and/or did not catch the right person. He/she is taunting them, local and federal.
I would ASSUME he is using some sort of proxy/anonymizer such as TOR or something similar. Is there any way to sniff for that type of traffic on my network? I want to make sure that they are not using us as the source.
Any thoughts on how to catch this person? Even if it isn't us, and it is somewhere else I would like to put a stop to it. Preferably off-list if you do respond...
Thanks in advance.
Eric Rogers
www.pdsconnect.me
(317) 831-3000 x200
-- Scott
On Sun, 10 Jan 2016 20:45:25 -0500, "Eric Rogers" said:
Thank you for all that have responded, and this response has been the majority, to leave well enough alone. I guess I was hoping that maybe I could offer a new way to help narrow this search down.
The only thing that's more likely to get you into trouble that acting "under color of law" (meaning doing it at the express request of law enforcement) is taking the same actions *not* under color of law (at which point it's your problem, not law enforcement's, if you break any laws).
I'll keep a look out On Sun, Jan 10, 2016, 5:02 PM Eric Rogers <ecrogers@precisionds.com> wrote:
Our local community has recently had threats where the user has a FaceBook profile and is threatening the schools, and several surrounding schools, saying he is going to shoot everyone and blow them up... This is an investigation, but it is getting out of hand. Several police/FBI raids, but yielded no results, and/or did not catch the right person. He/she is taunting them, local and federal.
I would ASSUME he is using some sort of proxy/anonymizer such as TOR or something similar. Is there any way to sniff for that type of traffic on my network? I want to make sure that they are not using us as the source.
Any thoughts on how to catch this person? Even if it isn't us, and it is somewhere else I would like to put a stop to it. Preferably off-list if you do respond...
Thanks in advance.
Eric Rogers
www.pdsconnect.me
(317) 831-3000 x200
I’m pretty sure that is what TOR was designed to prevent. While your intent may be altruistic, technologically speaking, there is no difference between that and say Iran or China sniffing out traffic.
On Jan 10, 2016, at 3:59 PM, Eric Rogers <ecrogers@precisionds.com> wrote:
Is there any way to sniff for that type of traffic on my network?
I have an idea. Indianapolis Cybercrime should stop playing politics and treat people like me who are willing to help, and were hugely successful with respect, and not like a mob informant. That said, post Snowden, I doubt I would go back... even with Brian Kils bullshit. Andrew D Kirch. On Sunday, January 10, 2016, Eric Rogers <ecrogers@precisionds.com> wrote:
Our local community has recently had threats where the user has a FaceBook profile and is threatening the schools, and several surrounding schools, saying he is going to shoot everyone and blow them up... This is an investigation, but it is getting out of hand. Several police/FBI raids, but yielded no results, and/or did not catch the right person. He/she is taunting them, local and federal.
I would ASSUME he is using some sort of proxy/anonymizer such as TOR or something similar. Is there any way to sniff for that type of traffic on my network? I want to make sure that they are not using us as the source.
Any thoughts on how to catch this person? Even if it isn't us, and it is somewhere else I would like to put a stop to it. Preferably off-list if you do respond...
Thanks in advance.
Eric Rogers
www.pdsconnect.me
(317) 831-3000 x200
Was this intended for the list? It's a bit confusing. On Jan 10, 2016 9:58 PM, "Andrew Kirch" <trelane@trelane.net> wrote:
I have an idea. Indianapolis Cybercrime should stop playing politics and treat people like me who are willing to help, and were hugely successful with respect, and not like a mob informant. That said, post Snowden, I doubt I would go back... even with Brian Kils bullshit.
Andrew D Kirch.
On Sunday, January 10, 2016, Eric Rogers <ecrogers@precisionds.com> wrote:
Our local community has recently had threats where the user has a FaceBook profile and is threatening the schools, and several surrounding schools, saying he is going to shoot everyone and blow them up... This is an investigation, but it is getting out of hand. Several police/FBI raids, but yielded no results, and/or did not catch the right person. He/she is taunting them, local and federal.
I would ASSUME he is using some sort of proxy/anonymizer such as TOR or something similar. Is there any way to sniff for that type of traffic on my network? I want to make sure that they are not using us as the source.
Any thoughts on how to catch this person? Even if it isn't us, and it is somewhere else I would like to put a stop to it. Preferably off-list if you do respond...
Thanks in advance.
Eric Rogers
www.pdsconnect.me
(317) 831-3000 x200
participants (8)
-
Andrew Kirch
-
Eric Rogers
-
Ishmael Rufus
-
Josh Reynolds
-
Notmatt Pleaseignore
-
Scott Fisher
-
Todd Crane
-
Valdis.Kletnieks@vt.edu