We realize that this crosses the line of "feeding the trolls" or giving attention to "bad guys", but we feel it relevant for our industry. Our lives and work are completely online and we're all highly susceptible to types of hacks and identity theft. It should go without saying that you should not try to be a hero here: if you visit EarlDrudge's site(s), try to expose his identity, or try to snoop around on him, you might actually put yourself in a position where you yourself might be vulnerable to being attacked. We advise you to simply listen.
Update since the recording (from Chris): I was able to talk with Media Temple directly only hours after this conversation. One good end result is that they have changed their policy of how/when/what documents can be approved in which to grant access and who can do that. The retaliation attempt ("honeypot") was verified to have been done by Media Temple. They were trying to catch the bad guy for me, and while I wish there was better communication about that, it's nice to know they were trying to fight back on my behalf.
DAVE: Hi. You're listening to a very special episode of the Shop Talk Show. In this episode, Chris sits down with Earl Drudge, the person who hacked his server and stole his identity. We realize this crosses the line of feeding the trolls or giving attention to "bad guys", but we feel it relevant for our industry. Our lives and work are completely online, and we're all highly susceptible to these types of attacks and identity theft.
It should go without saying that you should not try to be a hero here. If you visit Earl Drudge's site or try to expose his identity or try to snoop around on him, you might actually put yourself in a position where you yourself might be vulnerable to being attacked. Probably best to stay away so as to not cause attention to yourself.
As always, thanks for listening to Shop Talk. We hope you enjoy this episode and find it informative. We now join Chris and Earl Judge in their prerecorded Skype call.
CHRIS: Hello, everybody. Thanks for listening to Shop Talk Show. Notice there was no theme song this week. Dave is traveling out at a conference, so he's not going to be on the show and, thus, no sound effects and stuff like that -- sad day. But also because this is a very unusual show with possibly the most unusual guest we've ever had on Shop Talk Show. And he goes by the name of Earl Drudge. Hi, Earl. Thanks for joining me.
EARL: Yep. Hi, Chris. It's nice to have invited me on the show. Yeah.
CHRIS: Yeah. So I thought we would -- there's a reason me and you are talking right now, and this is going down, and it's kind of strange and interesting. I thought I would just kind of explain the back-story of why that is, and then we'll kind of try to synch up our stories and figure it out all.
So it was, I guess it was, just to put on a date on it because I'm trying to be kind of accurate about this. It was March 7th, and today is March 18th, so it was like 11 days ago or something like that. I woke up to an email that I got from my hosting company, Media Temple, that said, essentially, "Here's your account --" it was your account reactivation letter or a resending of my account activation letter.
And as people know, when you sign up for a hosting company, you get this email from your hosting company that has a bunch of stuff in it, your, you know, welcome to the hosting company. Here's like FTP access and whatever. I forget all the stuff that's in there.
But it also lists what the primary email address is for your account. And at that, it wasn't mine. It was somebody else's. And I was like, oh, crap! Somebody was able to, you know, get access to my hosting account, and that's kind of a big deal, right, because it's all -- I mean, I actually have two different accounts there and stuff hosted elsewhere, but this was my main account, the one that has CSS-Tricks on it and a couple of other sites.
I was like, crap! I wonder if this is like -- because, you know, once in a while you can get an email, like from PayPal, that's like your PayPal account has been compromised, but it's just spam. But this was real. It was a real letter from Media Temple, so I was understandably nervous and worried.
The first thing I did was go to Media Temple and try to log into my account, and I couldn't. The password had been reset or whatever. So I'm like, this is real! Somebody has gotten into my site, and I was nervous about that and reached out to Media Temple on Twitter and said, well, look, I can't get into my account. This is crazy. And they kind of reacted fairly quickly.
Then I got another one of those emails, that same kind of account activation email with my corrected information and stuff on it, maybe 15 minutes after I reached out to them on Twitter. I was able to log into my account again and kind of -- cool! To me it was like, well, this was a real thing, but it was resolved fairly quickly.
The person who did that is Earl Drudge. That's not your real name, right? But that was you, right?
EARL: Yeah, that's me.
CHRIS: Okay. I mean, and I guess we shouldn't have to say, but it's not Earl's real name here. I'm sure he's taking every precaution to make sure he's very anonymous in this.
EARL: Yeah. So my timeline of the events is pretty much the same except it extends a little bit more in both directions. Previous to when I had gone after your site, what had happened was, I was trying to get easy money. I was going after like Bitcoin gambling websites because a lot of those sites will pay out automatically. And the problem with that is that you have to have the coins in like hot storage on the website.
EARL: And I had found one. It was SatoshiSquared.com that was hosted by Media Temple, and so I started exploring what my options were to go steal the coins, which I did end up doing. I only got $96, which given the time that I had spent on it, I mean I guess it was worth it. I did only spend a couple hours, but --
CHRIS: So that's pretty interesting. You found a Bitcoin gambling site, which I think we can all basically imagine what that is, right? It's a real gambling site, but you use Bitcoin to do it.
CHRIS: And you just happen to figure out that they were hosted by Media Temple. How do you even--? It's easy to figure out on CSS-Tricks. I say it all the time. But how did you figure out this site was hosted on Media Temple?
EARL: What you can do is check the whois, and normally you can see the name servers will give you some kind of hint, or you can go to who.is, and they host cached information of like old whois information from websites, and sometimes that'll list name servers in case they've moved it to like CloudFlare or whatever.
CHRIS: Sure. And that's what matters, right, is the name server because every hosting company will have their own name servers that essentially point to.
EARL: Yeah, some people set up their own, but for the most part, if it's something worth spending the time on, it's already got some of the stuff just sitting out there for you.
EARL: And so what I did with SatoshiSquared was, I called Media Temple because I had never heard of them. I called them, and I said, like, "Hey, this is--" I'm not going to say his name --
EARL: -- because I'm not sure how he would feel about that but, "This the owner of SatoshiSquared.com. I don't know what my primary email address is on file. I was wondering if you could change that for me." And they said, "Yeah, sure. We've got this form our website. You just fill it out, sign it, and send in a picture of your government issued photo ID."
CHRIS: They told you how they want you to do the --
EARL: Yeah, and normally you would think that's a very good practice because, if you're actually verifying the government IDs, then that would be a very good process because it would be very hard, through any method, to get you to send in a picture of your government ID, like to get a picture to send in.
EARL: But the problem is that they don't, like, they don't check the government IDs. So what I did was I found a Photoshop document of an American passport, and knowing the --
CHRIS: Yeah, I've seen this one. This is kind of good, but go on.
EARL: And knowing that they didn't have a picture of him, they didn't know his date of birth because all they would have at most would be like maybe his credit card details.
EARL: So most of the information didn't even have to be right. All I really needed was his name and --
CHRIS: For it to look reasonably realistic.
EARL: Yeah. And then I just checked. I think I just checked the whois information on his website, and that listed his address. And in the form, the other little hurdle that you have to get over is they expect a signature. If you wanted to make it really real, you could print out the form and actually sign it and just scan it, and it wouldn't matter because, you know, unless you -- it'd be pretty amazing if they could find you based on your handwriting. But what I had just done was, because his name had no repeating characters, I just used a handwriting font, and apparently nobody picked up on that during the reset process.
CHRIS: Wow! You know what's funny to me, as I'm a bit of a designer, I've seen the -- because you just, you have it up on a domain. You can download this Photoshop file from one of your servers, or at least Media Temple knew about it, you know, or maybe you just sent them a link to it, and that's how they downloaded it. Anyway, Media Temple has seen and downloaded this file as well. It's still there as far as I know.
CHRIS: It has this big, gnarly, fake drop shadow behind it. And a drop shadow like that can only be applied in something like Photoshop. There's no way it's a scan. You know, I don't know where you originally got --
EARL: Yeah, because it would be -- I just found it on some -- I found it on a website that was meant for like fraud related things.
CHRIS: Yeah, sure.
EARL: And, like, the people who post there, they always, the never speak very good English, so it took me awhile to find it, actually. But I just worked with what I had.
CHRIS: Sure, I mean, okay. The point is that it's kind of funny in that anybody --
CHRIS: -- worth their salt, there's no way it's a scan. I mean, scans don't have drop shadows like that. Photographs don't have -- it looks like a fake, applied layer style to that thing. It's just funny that that somehow passed muster.
EARL: Yeah, yeah.
CHRIS: Okay. Yeah, go ahead.
EARL: There was actually one little article written about me. If you Google my email address, like in quotations, you can find it. Yeah, if you Google that, there's an article. It's called like, "Oh, hi. Let me verify your identity," and it was someone making fun of a really poor-- I was trying to get a woman's website, and I put up a picture of the person smiling in the passport, which you're not allowed to do in a passport photo. And even then, I mean, it got caught, but it got caught significantly into the reset process.
CHRIS: Yeah, this is the same. This is the same thing. It's not even a passport. It's a passport card. I didn't even know that was a thing.
CHRIS: Okay. Yeah, that's funny. I've actually never seen a Google result with only four results, but that's the case here. Okay. So you got access to -- and so it was effective, your attack on the Bitcoin gambling site. I forget what it was.
CHRIS: But that worked, so that's what led you to believe that Media Temple has these practices in place that you can exploit in which to get into other Media Temple sites.
EARL: Yeah. And the reason that it didn't work on your site, I'm not sure if you had checked, you had seen the time that the first email came, but --
CHRIS: 3:31 a.m.
EARL: I was asleep when it got sent out. And if I hadn't been, it actually would have gotten me into the site. But just because their legal team decided to be doing paperwork at 3:00 in the morning, it didn't work.
CHRIS: Yeah, okay. So that's interesting. I mean, not that -- I am in no way trying to track you, track this information or whatever, but you are saying that this 3:33 a.m. is your 3:33 a.m. And, based on your accent or whatever, even though this PSD is available at some .fr domain, and I think you might have another FR domain, you're not French.
EARL: No, not even a little bit.
CHRIS: Okay. So that was funny. People were like, "He's in France." You know, I'm like, yeah, maybe we should hold off on that.
EARL: If you check the whois details, I think it lists the name Earl Drudge, and then it lists the country as Iceland.
CHRIS: Oh, yeah.
EARL: That's also wrong.
CHRIS: I'm sure, so it sounds a little bit more like a North America situation, but whatever.
CHRIS: We don't have to get into that. Okay, so that's interesting you say that it didn't work on my site, so it didn't? I mean, you were never able once to log into my Media Temple account and do anything at all?
EARL: Well, the first time I wasn't, but then on the 14th, and to this day I actually don't know whether you did this or whether Media Temple did it because it had to be either your actions or Media Temple acting as you to try to catch me.
CHRIS: Well, let's wait on that and get into that in a minute.
CHRIS: Because that's all -- that's a very interesting thing. But it's just, it's a little bit later in the timeline.
CHRIS: And it's of big relevance to this because things really do get weird at that point. But so there was a social media or social -- social media -- engineering is what they call that, right, when you're willing to pick up a phone and impersonate somebody, essentially that's what they call that, yeah?
CHRIS: And, you know, interesting to me, to your credit, I think it takes some balls. You know, I couldn't. I don't know that I would have it in me to pick up a phone and just call and just completely impersonate somebody. I don't know. I don't know what my point is there. I'm just saying that's kind of --
EARL: Yeah, it's funny. I've actually-- You're right. It does take more than some people realize. Like I used to record myself when I would do it. I had originally made calls to Comcast, and you could just say, "Hey, my name is Earl Drudge. I'm working at the Comcast service center in Milwaukee, Wisconsin. I was wondering if you could help me look up a customer's information on Grand Slam. I'm having a little bit of trouble. Grand Slam keeps freezing." And like you could look up a customer's information and get them to read them out to you.
CHRIS: So you practiced this before. This is -- it's a --
EARL: Yeah, and --
CHRIS: -- you know, a little bit of a hobby of yours.
EARL: And I used to record myself, and my voice used to shake, and it doesn't anymore because I've just done this so many times.
CHRIS: That's -- that's great. All right, so that's how you could get in. And at one point you had blocked some kind of thing where it stopped working. And Media Temple has reached out to me a little bit because, as this -- what -- I'm forgetting the day exactly, but slightly after this and when they reset it or whatever and you didn't get the activation email in time, you didn't stop. I mean, you straight up just tried it again, right?
EARL: For a little bit, I tried it again, but then I was ready to just walk away.
EARL: And if you want to get into why I had targeted your site, I can explain that because that kind of ties into --
CHRIS: Yeah, maybe we'll go with that too because of course anybody that's been in this position has this kind of why me feeling, you know, like I was targeted. I was targeted by you. In some regards, if you had it your way, something would have happened to my site. I'm not sure what you would have done. Maybe you could talk about that too, but maybe talk about why me, why Chris Coyier, why CSS-Tricks, and then what would you have done if you got in and were able to do what you wanted.
EARL: Well, the reason that I had picked your site was, if you visit the website HostCabinet, but it's like hostcabi.net, you can type in a website, and it'll tell you where that site is hosted. And what's cool about that is you can sort it by the amount of traffic that the site gets. And the first most traffic heavy website hosted by Media Temple was jQuery.com, which I found out is actually, despite being listed on the hostcabi.net, list is no longer hosted by Media Temple.
EARL: And the next one down, the second one, the one that gets the second most traffic was CSS-Tricks.
CHRIS: Wow! I had no idea. I can't even imagine that's true. I mean, on hostcabi.com it doesn't surprise me because who knows how they get their data or whatever, but there's surely, there's got to be some mommy blogger or something who is crushing me. But apparently that's not.
EARL: Apparently not, but yeah, what I was going to do --
CHRIS: Is that solely what it is? It was solely traffic only? It was like I want to get a high-level traffic thing. I've never heard of CSS-Tricks or Chris Coyier before, but --
EARL: It was that, and it was also that your Twitter had like a ton of followers because what I was trying to do, you know, to be clear, I'm not like the good guy here, and I'm not going to try to make myself sound that way, but what I did want to do in doing this was get a positive message out about the fact that Media Temple does not verify government IDs and that that is a major security issue because let's say that jQuery.com were to be hosted there, and let's say I get into jQuery, and I can go mess with the stuff that people are referencing from jQuery.com. I could have malicious code in thousands of websites all across the planet because they're all referencing jQuery. And Media Temple in not verifying the IDs and not, you know, making sure that their customers are safe, that puts a lot of other people at risk too.
CHRIS: That's true. It's true, and it does, and maybe this will help in some small way. Although, like I said, you're willing to say that you're not the good guy in this and, you know --
EARL: Yeah, I also did it for attention because I'm a vain kind of --
CHRIS: As we all are.
EARL: -- person like that. Yeah.
CHRIS: We can get into that a little bit too in that, you know, as different as the ways that we choose to spend our time are, I do things for money and attention also, which makes us not entirely different at our core.
CHRIS: Okay. So CSS-Tricks was a good target for that for various reasons: Twitter followers and such. That's -- this is all just -- it's almost hard to listen to and interesting. This is going to work out so that people are aware of this.
Now at some point they kind of did change there, so you tried again after it failed, and they didn't let you in. So at some point there was some kind of -- they'd learned their lesson, maybe, or there's extra protection specifically on my account because they know it's being targeted.
EARL: Yeah, it was your account specifically that they had put extra protection on.
CHRIS: Yeah, and hopefully there's some policy change. And they alluded to me that there is going to be some policy change about what government IDs can be accepted and not and whatever. And we'll see if they have a public statement about that because I think people will want to know. You know, as much as I don't want to piss off my host anymore, I feel a social responsibility here to explain all of their actions and how this went down so that they can change for the better too. I think we have a similar goal there in that I want to, you know, give them credit where credit is due, and hold them responsible for the things that they did wrong, one of which is allowing this crazy Photoshop document to straight up allow you to change my email. That is crazy to me.
So, all right, I kind of want to move forward in the timeline a little bit. Maybe just before we go to the final part with the honeypot and all that craziness, maybe we could talk a little bit about you and just, you know, as deep as you want to go into it. Obviously we can't talk about the town you live in or anything like that because --
CHRIS: -- irresponsible of you as a bad guy, but what kind of generic background do you have, or is this how you spend most of your time on this kind of thing, or do you also have a job?
EARL: I do not have a job. I'm a third year security student at an unnamed college. Of course --
CHRIS: You literally go to college for computer security.
EARL: Yeah. I started when I was -- like I started getting into the computer security when I was probably like 13 or 14, and I quickly realized that the technical end of stuff like SQL injection, I just didn't really get it. I’m a competent programmer, but just stuff like that has always just escaped me. But lying to people and, you know, tricking people, deceiving people because that's all that social engineering really is when you get down to it, that's just something that I have always kind of been really good at.
CHRIS: Yeah. You did mention at one point that you don't even have to be particularly good at it for it to work.
EARL: Yeah, like the Photoshop document, I'm sure that like there are other websites online where you can pay for a very high quality Photoshop document of a passport like one that looks like it was just sitting on a scanner when the image was taken. But I just didn't want to spend that kind of money when I could find a free one that worked adequately.
CHRIS: Okay, so computers is your thing now. That's what you do. That's what you go to school for. What else? I mean, do you have classmates at university? Do friends do this kind of thing too, or are you kind of off on your own? Do you have kind of online friends that you commiserate with about this kind of thing? Is there camaraderie amongst the community?
EARL: I have online friends. I also do -- I sell drugs. That's one thing, so I have a lot of people that I know from doing that, and I'm pretty social. A lot of people seem to think with the like hacker stereotype that I'm like some greasy dude sitting at the computer for 18 hours a day. But I'm pretty normal, aside from all of this. The people in my life don't really know about this for the most part.
CHRIS: That's probably a good idea for your sake, huh?
CHRIS: This is technically illegal, right?
CHRIS: This was kind of funny. You know, because obviously I'm somewhat normal myself and have some friends, and when I kind of explained to them what happened to me because this is kind of a crazy story. You know, it makes for a good bar conversation. Of course the first place they go is, "Let's get this guy!" You know, I'm sure you've experienced that type of thing before.
EARL: Oh, absolutely, yeah.
CHRIS: People get redheaded right away, and they have all these ideas about what they want to do and how they're going to do it and all this stuff. I'm like, "Listen. A) There's no way you're going to find this guy. That's the whole point is that--"
CHRIS: "-- it's untrackable." Even if you could, you're just doing the same. You're just stooping to a possibly worse level than what happened to me to begin with. And nothing actually happened. I mean, we'll get to one thing that actually did happen in a minute, but anyway. Anyway, I just wanted to get a sense of who you are a little bit. Literally go to school somewhere in North America for computer security. You know a bunch of people, are relatively normal otherwise. They probably, most of them, don't have any idea that you do this type of thing on the side. But motivationally, you do it like the reason most of us do things, for some money and for some attention.
CHRIS: There we go.
EARL: Pretty much that encapsulated me pretty well.
CHRIS: What about the -- when you graduate from this, are you intending to take some kind of criminal behavior as a career or it will always be kind of a side project? I guess, does it even matter? Do you even think about that?
EARL: It's always kind of a tough choice because, you know, criminals tend to get caught in the end, and I'm not, like, I'd say I'm a pretty smart guy, but I'm not like a super genius.
CHRIS: Yeah, and not looking to get caught either, right.
EARL: Yeah, exactly. So I would like to take it legal, and it would be nice to be able to site some of this experience because I have done things openly, like with my own name, for security that kind of gives me credit, like for getting a job. But on the other hand, the criminal behavior is always a lot easier.
CHRIS: Yeah, well, yeah, that's what --
EARL: And that is why people do it, I guess.
CHRIS: Yeah, that's what they say.
EARL: So I'm not really sure where I'm going to take it.
CHRIS: Okay. Let's take it for a minute and move forward in the timeline just a little bit, a week later maybe. You know, March 7th was when I got the reactivation letter. And then it was March 15th, I think. Of course, I took some actions to protect myself because I was like, this is happening to me. This is crazy. I have no idea what to do. Something like this specifically hasn't happened to me directly. I had a weird situation that I don't even know if you know about, but I'll explain to you at the end where something else was stolen from me related to CSS-Tricks, and I would actually like to get your insight on it because I have never gotten to the bottom of it to this day.
But what happened is, they wanted to catch you, I think. Media Temple wanted to give me the good news that they got the guy. So what they did -- what's funny about this is the reason I know this even happened is through you. They won't even talk to me. And I feel weird saying that, but I've been trying to get Media Temple to explain to me what the heck happened from their side of the story, and they won't even tell me.
CHRIS: So I think they're trying to handle this in a medias kind of way that's really clean, but anyway, so they did what you call a honeypot. And I had to go to Wikipedia to try to figure out what it is. Maybe you could explain to me and to this audience what the hell, and what did they do to try to --
EARL: So, all right. I'm going to read out. I'm not going to read out all the account details I got in that one email on March 7th, but I'm going to read out some of them, and I'm going to sensor it, you know, for your safety because I don't want someone else trying to take your site using the same information. So on March 7th, I got an email saying dear Chris, below is blah, blah, blah. Here's your information. It says account owner: Chris Coyier. Am I saying that right?
EARL: Yeah, and says account number: 121-- Those were the first three digits. There are also some other ones I'm not going to read. And it says: account anniversary date 2008-11-15. And that was your real site. And the primary domain was new.css-tricks.com. So that was the legitimate --
CHRIS: But there wasn't a dash, wasn't there? Where did I see this? I have a screen capture of it somewhere, but it wasn't really my domain because it didn't have a dash between CSS and --
EARL: No, and there was -- then this is the other one that I got. I got another one on March 14th at --
EARL: Yeah, and I got another one --
CHRIS: This is the fake one or whatever?
EARL: Yeah, this is the one where I think either -- I guess it wasn't you, but I think --
CHRIS: Well, it wasn't me. I'll tell you that. I have no idea about any of this.
EARL: Yeah, I think it was Media Temple trying to handle the situation on their own. It says account owner Chris Coyier, account number 271613, and account anniversary date 2014-03-14. And for the primary domain, it was dev-csstricks (with no dash) .com.
CHRIS: Okay. So what is their goal in sending you a letter like that?
EARL: Well, what I think what they were hoping to happen was that I would click it, like out of curiosity, which I did, and that -- because they had set up a VPS that was the lowest tier of VPS that they had, I believe, and it was in no way connected to your regular account, which immediately stood out to me as a red flag, like this is obviously not his regular account.
EARL: And it was created the same day I got the email, so I was thinking like how would he just accidentally type my email in. And so I log into the VPS through Tor and everything, you know, taking the precautions because it was obvious to me right away that it was some kind of trick.
CHRIS: What do they want from a trick like that? Is it your IP address? Is that what--?
EARL: I would think so, yeah, because if they get my IP address then they could contact my ISP, which given they should have considered that I had been on a VPN when I sent the emails to them, and I had also --
CHRIS: I mean, what does a VPN mean? I know it means virtual private network, but it means that it masks your real IP in some way, yeah?
EARL: Pretty much, yeah, and the idea is that they don't keep logs of what you do, so in case the government ever comes to them and says, hey, this IP address has been doing bad things to someone.
EARL: Whose is it? They can say, sorry, we can't help you, don't know, even if they have like a court order.
CHRIS: Okay. Because they don't know.
EARL: And so I logged into the VPS, and I started just poking around and breaking shit just because I knew it wasn't going to stay around for long. And I kept checking if there was anyone else logged in, and there were other people logged in, and there were other people logged in, presumably watching what I was doing on it. And so I decided to download one of those little pearl denial of service scripts and point it at your regular website to see what would happen because I knew they were watching. And within a minute of doing that, the VPS shut down and it has not been back up since.
CHRIS: Okay. So there wasn't a sustained DDoS on my own site through this.
EARL: No. It was just probably a minute's worth and then they took it. They took the VPS down, and that's when I was like absolutely 100% sure that it was someone trying to set me up.
CHRIS: Right, and you possibly had been, like, why wouldn't it have been me? Or least why wouldn't have I okayed this thing.
CHRIS: You probably assumed that it either was me or it was Media Temple acting on my behalf that I agreed to.
EARL: Yeah, that was absolutely what I had figured.
CHRIS: Yeah, which of course you would believe that. It just so happens that that isn't true, and I think this is what, you know, it kind of irks me in both directions. I don't like being attacked, period. But I also don't like that -- it kind of annoys me that the reason things escalated from here is from some honeypot thing, which I guess what that means is setting up a fake server to try to get somebody to log into it.
EARL: Yeah. In this case, yeah.
CHRIS: That's what really pissed you off. And believe me, there's been some anger thrown around in both directions at some point. You've called me some names. There's obviously been some, like, if I would Tweet in frustration, I could sense some enjoyment from you. I'm sure that you'd --
CHRIS: -- get a kick out of that once in a while when I'm like, you know, just at my wit's end trying to reach out to Media Temple for help and stuff. You can tell that you enjoy that kind of thing, not to, you know --
CHRIS: -- put you too much on the spot here. But, you know --
EARL: Yeah, I think it --
CHRIS: -- the reason that it got where it got is because of some activity from some company that I didn't even approve, that makes it double frustrating to me. I get to be frustrated at both sides. Anyway, do you have any--?
EARL: Yeah, I think that that was a really irresponsible move on their part because knowing that I had already gone after the site, you would think that they would expect, like, yeah, he already beat -- I mean, I did kind of get in in the sense that it would have worked if I hadn't been asleep. And so you'd think that they would have considered that before taking action, like, on your behalf using your name that you did not approve that could have incited further, like, fighting.
CHRIS: Yeah, well, they didn't, and they won't even talk to me, apparently. I'm sure they'll talk to me after this. And I feel a little weird about it because they've -- I don't know. They actually don't give me free hosting anymore. I used to have some kind of media deal with them where they did, but actually I'm so frick'n unorganized financially that I just learned -- I was doing my taxes, as we do this time of year, that I was like going through my credit card statements like, oh, my God. I pay a bunch of money for hosting through them. Anyway, they have sponsored various things I did in the past, but they do not pay for my hosting. I pay for that.
What happened after this is that you were angry at what happened, and somehow you have my social security number, and this is one thing that we need to figure out. And I don't know if we'll be able to get to the bottom of it or not, but they swear up and down that they don't have it. They don't store it. Their agents don't have access to it. There is -- they just -- at one point they even got a fake, just like you have the passport, you have a fake social security card too, they said, that that -- and that you sent that into them too that had my real social security number on it, and they said they could do nothing ith it because they don't have anything to compare that number to because they don't have it in my system.
EARL: Well, that's funny because that part was either not true or not me because I didn't send that in. And I do have the font for the social security cards, but I don't know if -- I don't think I have the actual social security card Photoshop document up on my site. But that part actually is not true. Like, I didn't send them in that, but I --
CHRIS: Okay. They might have been just confused or something too.
EARL: And I did lie about getting it from them because I just wanted to see if I could get a reaction out of them too.
CHRIS: Okay, so that's interesting. They're true. They don't have my social security number.
EARL: Yeah, that's true.
CHRIS: But you do, so Media Temple wasn't your only target for me. You got this some other way.
CHRIS: I don't publish it.
EARL: You can get that from a couple different places. If you have the money, there were a couple sites that have recently gone down for various reasons.
CHRIS: My God! Really? There's a site where you can just cough up a few bucks and get anybody's social security number.
EARL: Yeah, I believe it's like $3.70.
CHRIS: Oh, my God! It's that commoditized too! Like somebody works at some office somewhere where they can look it up, and they'll just look it up for you and sell it?
EARL: Yeah. It's ssndob.cc and ssnfinder.ru. Both of them are down. Ssndob had their name servers attacked, like their name servers have been changed back and forth because --
CHRIS: But you found the one that was up, and you were able to get mine for $3.
EARL: And also you can get it, because they were down at the time, you can get it through various like phone providers, your Internet company, your --
CHRIS: If you call up and do social engineering.
EARL: Yeah. You just call up and lie to them. Just lie, lie, lie to someone.
CHRIS: They'll tell -- I'm fascinated by that. So you say, "I forgot my social security number. Will you tell it to me?" And they will?
EARL: No, you don't even do that. You just pretend to be an employee.
CHRIS: Oh, that's even better, right? Because of course they'll give it to an employee. They won't just give it to somebody else.
EARL: Yeah. And what's funny is all you need to do is figure out the name of like whatever software they use to look it up. For instance, Comcast is Grand Slam is what they call it.
CHRIS: Oh, that makes you seem legit when you say it like that.
EARL: Yeah, like if you just use that, that's like the magic word, and they just believe that you're really an employee.
CHRIS: That's great. But in your case, you found a website to do it for you.
CHRIS: So then you got it. In some twisted way it makes me feel a little better because then the thing that happened in reaction to this is that you posted a whole bunch of information to something called Doxbin, which I've never heard of, but maybe you could tell us what that is. I mean, just because you posted on it, I went to their website and looked. It looks like dox means documents. Essentially it's like a post anything kind of site. Is that right?
EARL: Yeah. And because it's run through the Tor network, which I do have like Tor mirrors of my website up, because it's hosted exclusively through Tor and the service is configured right, there's basically nothing that anyone can do to get it taken down. Unless the owner of the website decides to take some action against it, which I actually am going to, given the circumstances. Like there is a strict non-removal policy, but I'm willing --
CHRIS: Yeah, let me read what it says because I was able to log in through -- I didn't actually set up Tor on my computer. Apparently that means the onion router or something. I don't know anything about it but --
CHRIS: But there's a way that you can do it through the Web, and it says like, well, if you don't really care too much about your security or whatever, and I was like, I don't really. I mean, I guess I should, but I was able to go -- I was able to view it through a Web browser without having to configure anything. And I went to the homepage of it, and it says -- there's a big text area. That's all there is.
And it says, "Docs go here. This not your personal slam page, nor is the page on which you brag about having owned someone or to complain that they owned you. Post whatever info you have and shut up. There are no limits of what you can post, so feel free to drop social security numbers, financial, medical info, or anything else that is blatantly illegal. We have a strict non-removal policy, so once docs go up, they stay up unless they are inaccurate or you didn't include at least a name and an address. Asking for docs to be removed is probably the surest way for them to be updated and expanded upon. You have been warned."
So it's kind of like a whatever, like a WikiLeaks kind of thing, right? Post it here and it will forever be on the Internet.
EARL: Yeah, a lot of people in like the hacker crowd put stuff up there because it's a way to go after people, and there's not much recourse they can do, you know, if you've protected yourself. And it's basically just like do this if you're mad at someone.
CHRIS: Yeah, which you were.
EARL: That's pretty much the gist of it.
CHRIS: And there's literally a link on one of your places to the Doxpin, which I originally clicked, and it just goes to a white page, right, because if you don't have Tor set up or whatever, you can't get access to the site. But if you go through one of their little Web -- I don't know how it works. But there's some way you can look at a Doxpin without having to set up that kind of thing.
I did, and what's posted under my name is literally my real social security number and date of birth and places where I've lived and my websites and that account -- I mean, so that forever on the Internet is this thing, right? And even if you were to -- even if we were to contact them, the chances are, if anything, they'll promote it, you know.
EARL: Yeah, most of the time what they'll do is, if you scroll through the archive on their site, anything that you see that has the little orange envelope symbol next to it is something where the person in the file has tried to contact the admins to get the post removed.
CHRIS: Wow! So it's extra juicy or something.
EARL: Yeah. So they put it up to --
CHRIS: Discourage that.
EARL: -- to create more. Yeah.
CHRIS: So if I were to call Doxpin, they would just -- of course it would be the opposite of --
CHRIS: It would just -- it would be bad news.
EARL: I feel like if I were to contact them, and I am going to try because I understand that the honeypot was not your idea, not your fault. Hopefully it'll do something other than get my email put up there saying, "Hey, could you take this down or something?"
CHRIS: I don't know what to tell you. The reason I felt better about the reason that you bought it for $3 is that anybody could do that for me, I mean theoretically. So the fact that it's on Doxpin really sucks and, of course, not knowing what to do, I immediately signed up for this like LifeLock service, which I don't even know if it works or not. But it's kind of the thing like if people have this number of mine, they can sign up for credit cards in my name. And if I'm in a delicate position right now or if my credit were to go bad, there's some life stuff that would really, really … my life pretty good. So I signed up for this thing to make sure that that doesn't happen, you know. But if somebody really wanted to open a credit card in my name, it would be easy. They would just go to one of these sites, buy my social security number for $3 and do it. So the fact that it's on Doxpin doesn't make that a whole lot worse.
CHRIS: Which I guess is some frick'n shining light in this mess.
EARL: And LifeLock, I understand, they do -- they actually are pretty good about what they do. My understanding of it is just that it makes it very, very much more difficult to steal your identity to the point where it really wouldn't be worth it unless someone had a personal vendetta and wanted to do it to you specifically because --
CHRIS: You could still beat LifeLock is what you're saying?
EARL: Pretty much, yeah, but it's more dedicated. And if you're in the fraud scene, you're not in it to go after this one specific person. You're just trying to go after anyone that you can get some money out of, and so they probably just take the $4 loss and move on.
CHRIS: Mm-hmm. Oh, they wouldn't even find out until they've already paid the $4, so at least I'll get them for $4.
CHRIS: Grrr. All right, so yeah, anybody that wants -- well, I'm not even going to say that. Let's -- that's where this, hopefully this story ends, kind of, is that -- I don't know. Whatever. There was some retaliation on both sides and some rising anger and stuff. And there's some kind of, you know, irreversible damage in that it's a little easier to find my social security number that it once was online. But thank God if you Google it, it still doesn't show up. At least Doxpin isn't indexed by Google, as far as I know.
EARL: It actually was. It's not anymore because a couple of the ClearNet Tor websites where you could get on Tor through the regular Internet, they did have Doxpin listed, but they have now banned people from accessing Doxpin on their service because of stuff like that.
CHRIS: Yeah. I mean, that seems like a bad policy for a company like Google. So here's something. You know, our HIPAA and SOPA, right? And I'm sure you do, right?
CHRIS: You know, the Stop Online Piracy Act and whatever HIPAA stand for, and it was pretty much the whole Internet was united in their outcry that this is a bad idea. It gives the government a little too much control over things that they -- for example, you could just accuse a website of something and get it removed from the host until it could be sorted out kind of thing, and it was a little bit of a guilty before, you know, proven innocent kind of thing, and it was weird. Were you against it philosophically? Did you have some say in that fight?
EARL: I don't really care for it too much because, with the Tor network, well, like, one thing you have to understand about SOPA is that SOPA would be, from my understanding, an American agreement. And given that my host is in Iceland, that doesn't really matter to me too much.
CHRIS: So it wouldn't have affected you personally is the point.
EARL: No, and with Tor, because Tor encrypts the traffic end-to-end, and there's no trust involved in Tor, like you don't have to trust -- like with my VPN, I have to trust that they're not going to give up my real IP address, but with Tor, you don't have to trust anyone just because of the complex way that Tor is created. And with Tor and the other darknet that I use, I2P, SOPA would basically have no effect. And what I think eventually is going to happen is something, either SOPA or something very similar to SOPA, is going to pass. And then things like Tor and I2P are going to become more and more common because it's a way of getting around the censorship, and that's exactly what those programs were created to do.
CHRIS: But it doesn't make for a better Internet, does it? I mean, despite the fact that it might not affect you directly very quickly.
EARL: Yeah, I think it would be bad if it passed, definitely, but I've just never felt too strongly on it.
CHRIS: Okay. That's fair. And what's interesting to me is, of course I was against it just because I feel like most people were. And what I read up on it, it'd be like kind of nasty. The way I understood it was that if somebody kind of like accused my site of doing something nasty, even a copywrite violation, that they could reach out to my host, which obviously is a very easy thing to find, and they could kind of shut me down until it was sorted out, and that feels very dangerous and way too big brothery and scary to me, and that's the limited part that I understood of it and, thus, was against it.
But what it does is it kind of gave the government some power over the Internet, which they have very little of now, as we know. And for the first time when this stuff went up on Doxpin or whatever, it made me kind of feel like it's funny to me that I can't reach out to the government at all. Let's say I was so mad at you right now that I was going to do everything in my power to find you and get all mad about it. And I was like, I'm going to call the FBI, you know. They couldn't help me. The jails are not piling up with Internet criminals. If they could even find you, which I'm sure they couldn't, you know.
But I feel like if something like SOPA happens, if we were to give the government more control over the Internet, maybe they could have. Maybe it would be easier for them to find and shut down a site like Doxpin. My technological understanding of all this is little, but for the first time in my life I kind of felt like, just for a moment, and I'm not sure I truly in my heart of hearts believe this, but I felt for a moment like, gosh, I wish the government had control, more control over the Internet.
EARL: Yeah. The thing with that is actually with Tor, the way that it's set up, when you visit a website that has a .onion domain, you're not actually -- like if I were to visit Media Temple, then I know Media Temple's IP address, and I know, like it's pretty simple to find out where it's hosted and stuff.
EARL: But with services like Doxpin and hidden services, that's what they call the onion domains, they're set up in a way that you're just going through the Tor network, and all you can see is random Tor network IP addresses, and you aren't actually able to find the owner of the website. And, inversely, the owner of the website is unable to find you, which as bad as it sounds because, you know, I like Tor, and I think that Tor has a very good uses, does allow people to do very bad things and have really -- nobody has any legal recourse.
CHRIS: Okay. But -- yeah, okay. So -- whatever. The government couldn't even find the thing to shut down if they wanted to.
EARL: Nope, and they have tried.
CHRIS: Even if there was legal -- yeah, if there was some -- even if they were granted the power to do so.
EARL: Yeah, I'm pretty sure Obama's social security number is even on Doxpin.
CHRIS: Oh, gees.
EARL: And hasn't been removed.
CHRIS: Wow! I guess that says something. There's an endorsement. Just like the LifeLock guy's social security number he made available at one point….
EARL: Yeah, yeah. It ended up on billboards and stuff.
CHRIS: Okay. So there's going to be some people out there who are not pleased with me in a new way, and that is that I'm giving you, who is a self-admitted bad guy, a larger voice, right, because why, you know, why encourage the trolls? Why celebrate the bad people or whatever?
The reason I'm doing this is for my own -- I don't know -- my own understanding. I needed to know what's going on.
EARL: Yeah, like closure.
CHRIS: Yeah, hopefully.
CHRIS: Closure is a good word for it. Let's call it closure.
EARL: Yeah, I think that one thing that people, I would not say misconceive about because I am a bad guy, but I would say that people have a little skewed is that I did go after SatoshiSquared.com as something purely malicious. I just wanted free money. And I went after your site and caused you a lot of personal trouble, and I did, like, laugh at you on Twitter during the time that I had done it. And, like, I opened up with I'm going to hacks your site.
CHRIS: It did not seem like you were the kind of college student at a university at that time, but anyway --
CHRIS: -- go on.
EARL: But when I had put CSS-Tricks in mind as like my target, it was because I actually thought, wow, Media Temple, especially when I saw that jQuery was hosted with Media Temple, or was in the past, but is no longer hosted with Media Temple, I thought, wow; someone that really wanted to just watch the world burn could go after a big site like jQuery. And because Media Temple doesn't do its job very well in making sure that people aren't getting into their customers' accounts, that could cause a lot of people, from a lot of different websites, a lot of trouble.
CHRIS: I'm sure we'll hear from them after.
EARL: It was malicious in the way I did it, but I think that I did have a good goal in mind, but that's not to say that the end justifies the means.
CHRIS: Yeah. Well, so that's interesting. We're raising some awareness in that way.
CHRIS: You know, despite some anger and some back and forth name calling and whatnot, some personal attacks, as it were, are you not a watch the world burn type of hacker or whatever? I feel like the grandpa talking about skateboarding when I say the word hacker, but.
EARL: No, I get the same feeling. I know what you mean, but no. I mean, there have been times. It's all just kind of whatever I feel like doing. I just felt like doing something that I saw as mildly good.
CHRIS: That's what I needed an answer to. I was like, is it malice against me? Because even if it is, I would just want to know. Like attacking me through a computer has some level of safety to it. You could come up to me on the street and punch me in the face, but it's more way risky. I just saw you do that. I can whatever.
CHRIS: You're going to get caught for doing something like that. But let's say there was a way that you could do a similar kind of thing, but not get caught. Have it be as anonymous as safe as attacking my website. Let's say there's a button on a wall somewhere, and you could press it, and a man will come break my legs and disappear into the nights. Would you press that button? Is it that kind of vindictiveness against me or not?
EARL: No, it's not. It's -- the reason that I put the social security number up was because I really did not appreciate the honeypot thing. I saw that as a very personal attack. And in my anger, I just put the recourse on you because I didn't consider, as well as I should of, that Media Temple was the ones responsible for it. But I don't have any actual like malice for you. It was more just I wanted to send a message that --
CHRIS: Well, we'll get that. We'll try and get that message on.
EARL: -- I'm not going to….
CHRIS: Yeah, I don't know if we could if we wanted.
EARL: Yeah, I don't -- like because, you know, people have tried. There's actually been one post about me that was put on Doxpin and later removed due to a lack of information that had a couple of my user names on it, but nothing really anything important.
CHRIS: So you know how it feels in a way.
EARL: Yeah, there actually is one post on Doxpin under a nickname that I had used when I was like probably like 13 that actually is on Doxpin with my real information, but it has no connection to this user name.
CHRIS: Well, okay. So like I kind of started this ending with is that there's going to be people out there that are mad at me for giving you a bigger voice, so I want to make this show a little bit worthwhile. I think it was worthwhile in kind of hearing how this stuff goes down, spreading a little awareness.
What about something that people could do to protect themselves? Is there any kind of somewhat positive message that we can make this a little bit extra worthwhile so, at the end, when people are yelling at me for this, I can say, look; at least there was this good message at the end. Is there some--?
EARL: The best advice I could give would be either pick a host that you know is going to want a lot of information from you and will verify all of it, or pick a host that wants no information from you and just is not very cooperative if something happens because that's like how my host is. I paid for my hosting.
CHRIS: So can we -- can we have a takeaway? What is that host? Are there good?
EARL: Yeah, OrangeWebsite.com, it's an Icelandic host, and they accept Bitcoins. And they're open about people being anonymous on their website. Like they don't mind if they don't have your real details. Like if there's a problem, they'll take stuff down off from their host. They're not like hosting openly illegal things, but --
CHRIS: How do you contact them to change something if you have to then?
EARL: Basically you just hope that whatever email you put on, you just need to be able to hold onto that very well. Another recommendation that I have is gmail is a very good email provider because they require like a lot of different information to reset your password, and they don't have like a funnel support line because people are always….
CHRIS: Yeah, I was pretty sure you didn't get into my email because I got the two-way auth on there, and I think that's pretty good security.
EARL: Yeah, stuff like that, and then signing up with a host where the only way to reset is your email address. Like my host doesn't know my real name. They have no address on file for me. They've got no phone number, so the only way that you can reset like my hosting account, for instance, would be to have access to my email, which isn't impossible, but it's a lot harder than opening up Photoshop for 15 minutes.
CHRIS: Yeah. Well, there's one thing I need to ask, even though this is weirdly placed in this show, but before we wrap up here is that a couple years ago, maybe it was two years, a year and a half, something like that, my website was stolen in a more dangerous way, I think. And what they did was they stole my domain name, the ownership of the domain name. A) Did you have anything to do with that?
EARL: No. I actually did find that though because, just looking for to see like the fruits of what I had done, I had Googled CSS Tricks hacked just to see if what I had done would come up. And, no, I actually didn't have anything to do with what.
CHRIS: Okay, just curious. I mean, I didn't expect that you did somehow, but as somewhat of an Internet criminal, did you read the post? Do you kind of understand what happened? I can sum it up pretty quickly if you did not.
EARL: Yeah. I'd read the post. Basically what happens with that a lot is similar tactics can be used on domain registrars.
CHRIS: I mean, I never got to the bottom of it. This is a total mystery to me to this day is that you think that that is somewhat likely is that they were able to call Go Daddy? It was where it was hosted at first, and then it kind of bounced around to a couple of them. You think that they did it over the phone? I mean, you don't have to be right. I'm just curious as to how you think it happened.
EARL: I think that it was either a social engineering attack or it was already just there was some bug in the website. But whatever it was, it was definitely whatever was wrong with -- it was some missed thing on the domain registrar's part that they had let that happen. And actually, that one site that I had bought your social security number from, ssndob.cc, that was recently hacked because someone gained control of their domain because they have the entire domain registrar hacked.
CHRIS: Yeah, and to be -- so people understand, the reason that's more dangerous is, let's say Earl here were to have gotten complete access to my servers and did whatever he want with them, just totally trashed them, put spam on there, used them as a DDoS, who knows what. I don't even know what you would have did if you're into that kind of thing or not. But the point is, let's say you were to have full rein over it, root access, whatever. And that's another question. You don't still have root access to my site, do you?
EARL: No, I don't. I never got into the main CSS Tricks.
CHRIS: Okay. Let's say you did though. Let's say you did.
CHRIS: And you could do whatever you wanted. Because I still own the domain name, I could, fairly quickly, register a new host somewhere. Of course, I have backups of everything. It's even version controlled and stuff. Throw up all the files from CSS Tricks, grab a copy of the database taken, backed up in real time actually, move it over to the new host, and then point my domain registered at that new thing and I'd be back up and running with a hack free website. Because I own the domain name, I have that power. But if you lose the domain name, you lose it all. So anyway, the point is that sucked.
CHRIS: I was able to get it back because Go Daddy fought to get it back for me. And I am a little mad at Media Temple for doing what they did to you because, of course, that's the thing that spurned the actual fallout from this is that it is a little easier to get my social security number out there in the world, and that kind of sucks for me. And even if Earl wanted to get it back, which, you know, it sounds like he may try and get it back for me, that would be, you know, it's weird to say nice.
EARL: It would be an undertaking.
CHRIS: But it would be nice of you. Anyway, I would urge you to be nervous about that because I don't want an orange icon next to mine, you know.
CHRIS: That -- whatever. You know what I mean.
EARL: Yeah, I know what you mean.
CHRIS: Okay. So, people, don't be too mad at me for this. I thank you, Earl, for coming on and explaining to me all this, what went down, and who you are and what your background is. Hopefully some people can protect themselves, get a host that's less susceptible to this kind of thing, that kind of thing. Hopefully it was interesting listening. Any final words?
EARL: Nope. I think I'm pretty much good. Thanks for having me.
CHRIS: All right, well, until next time, folks. See you later.