Remember how I started Pondering MITRE PANOPTIC clear back in mid-January? I didn’t forget about it, this post has been on the back burner for about six weeks. I have a personal harassment case I’m working this weekend and it seemed like a good time to finish this up.
East Bay Craigslist Scammer and San Francisco Studio Simulacra are about the perilous bottom end of the Bay Area housing market. But there are a stew of privacy issues in this, all things that can be evaluated with PANOPTIC.
Attention Conservation Notice:
Half of this is because I hate scammers, another half is because I hate on anyone taking advantage of someone who is vulnerable in some fashion, and the rest is because it does offer a lot of issues that are a fit for PANOPTIC. Did I mention I intensely dislike scammers?
Privacy Problems:
OK, so what’s going on here in terms of privacy? Everybody involved in any fashion has something to lose. Consider these:
Renter has to give up enough info for ID theft to qualify for renting.
Legit landlord has a name, a location, there are some crimes that start with a “window shopper” turning up to look at a furnished place.
Remote scammers have a harder time executing, and they’re much safer, but their infrastructure is at risk if they encounter someone like me.
The IRL scammer plays a most dangerous game, particularly when they encounter someone observant.
When I agreed to look at this stuff I had an investigation setup leftover from something that aborted pretty early. There’s a phone, a Google Voice, an email, and so forth. The only real risk was the IRL encounter and there isn’t much I’d expect from someone like that, so long as no money changes hands. Oh, and then there’s the issue of writing about it here, but the experiments are pretty much over, so the most any of my obsessive pursuers will accomplish is wasting their time learning about East Bay housing.
My inner farm boy still gets out at the oddest times. One of the legitimate landlords in this mix wasn’t willing to give up the street address until they had my PII. I was puzzled by this, but they explained that in the past a tour had served as recon, and a new tenant was promptly burglarized the first time they took a weekend trip. Despite all the slinking around I do, these openings for theft are things I recognize in retrospect, not innovations I create.
The tasks related to the remote player(s) from East Bay Craigslist Scammer are not complete, but for them the loss has already occurred. I know what I know and there is nothing they can do to conceal their system from me. (After some consideration, I published Myanmar’s Cyberslaves on March 14th.)
As a curious addendum, I started this post, wandered off for more than a day, came back, and there were a few more responses. They asked for my email, I gave them the one I’ve been using, and I’ve been promptly ghosted. Some of the fraudulent posts are the same group, or maybe they’re independent but have come to know each other over the time they’ve been operating. There isn’t any sort of social networking on Craigslist itself to facilitate this, but such things happen when people with malign agendas operate in the same environment.
The remotes remain below the FBI’s published $5,000 limit across state lines. The local IRL players are within reach of law enforcement. But since internet is hard when you’ve got a badge … I think it’s a dead end.
Applying PANOPTIC:
First things first - there’s no cybersecurity angle to this. I sent emails, SMS messages, made some phone calls, and had a single IRL meet. I could introduce some sort of technical threat in this environment, like including a Canary Token in a document I send in response to a request for information, but even that isn’t really a cybersecurity issue, it’s a surveillance tactic … which is a straight up privacy thing.
There isn’t a structured course for PANOPTIC, we’re left with a paper and some slides, but some of the visualizations are quite helpful. The Privacy Problems section is a quick ad hoc exam of issues for all parties. Explicitly looking for Vulnerabilities, Threats, and Consequences as a matrix would be a good starting point for those not familiar enough with the issues to make decisions on the fly.
And the basis for the matrix exists, but it’s just a simple spreadsheet, with 162 lines covering 149 issues in thirteen distinct domains.
So what do we have here?
Vulnerabilities:
These people are giving up emails, domain names, phone numbers. I could maybe get fancy and spearphish them, or if nothing else figure out public IPs they are using. I’m proposing taking existing privacy leaks and “enriching” them.
Threats:
The threat is simple, it starts with me, concocting what I can do to the bad guys. I published an article, maybe it’s rising because someone else is after them. I could roll up all the info and put it in IC3, hoping there’s a broader criminal investigation.
Consequences:
Loss of technical assets - the easiest being reporting the scam related domains. There are a variety of ways to mess with the phones and email. The biggest thing would be prosecution but I suspect the little fish would be ignored, USDOJ would do something about the overall operator if they could ID them.
So in summary … it’s a fun puzzle, but I can’t imagine it providing any vindication by solving it. So just let it go …
Conclusion:
The renting thing got handled and my current problem in this area is a stalker case. I did have a little summary of it here, but it largely resolved the day before this came out, so I’m going to provide a bit of background on it in a separate post later this week.