You may have noticed a sensational real-life case recently in which an 18 year old girl in Sydney had a bomb hung around her neck. The bomb proved to be an extortion hoax, but they didn't know that for the first 10 hours while they worked out how to get the thing off her, in fear of an anti-tamper trigger. Which means the girl had to sit still for 10 hours, not knowing if she was going to die at any moment. (I presume the policewoman who volunteered to sit with her is due a huge medal.) A man's been arrested for it, in, of all places, Kentucky. Since Kentucky is somewhat outside Australian police jurisdiction, the FBI did the honours on their behalf.
I want to talk about the trail that led to the arrest, because it's an interesting example of detection in an internet world.
The extortion note said to contact a certain email address: firstname.lastname@example.org. I guess the extortionist is a James Clavell fan. It's nice to know even heartless extortionists can be readers.
So, now we start detecting...
Keep in mind that the extortionist had to access that gmail account to see if his victims had replied.
Every machine connected to the internet has assigned a unique number called its IP address. If you think of it as being like a telephone number, you'd not be far wrong.
The IP numbers have to be unique
, because these things are what the internet uses to send messages to the right place. Imagine if two people had exactly the same phone number; it's the same logic. The machine you're using to read this blog has a unique IP address.
IP addresses are always broken into four parts, written as A.B.C.D, purely to make them easier to manage. Each of A, B, C and D is a number from 0 to 255. So, for example, the site FBI.gov, has an IP address of 184.108.40.206.
It should come as no surprise that Google logs the IP address of everyone who uses its email accounts.
So the Australian police called Google and asked, who had accessed that email account. Google replied with three IP addresses, and the dates and times of access.
The first IP address had been assigned to an internet kiosk at O'Hare airport in Chicago. The email account had been set up from that kiosk, before the crime occurred. Of course they didn't know who had used the kiosk, but they knew for sure the extortionist had been at O'Hare at that date and time.
The second IP address had been assigned to a computer at a public library at Kincumber, on the central coast of New South Wales. Incidentally, this is close to where my mother lives, but I don't suspect her.
The third IP address had been assigned to an internet kiosk at a video store not far from the library.
The second and third access had been to see if there was any mail. And they were accessed after the crime.
Clearly the extortionist had flown from Chicago to Sydney, committed the crime, and then gone north to Kincumber, and the police knew dates, times and places of where he'd been. This, plus travel records and some video camera footage from the locations was enough to find their suspect.
How did they know where to find the computers with those IP addresses? Since every number must
be unique, a central authority called ICANN allocates them. ICANN, through third parties, allocates them in blocks. A small ISP might ask for a block of IP addresses for its customers to use, and be allocated for example every address that begins 10.20.30. That's called a class C block because the A, B and C parts of the addresses are all the same, and only the D part varies. (Remember I said IP addresses are always written in four parts? This is why.) The ISP in this example has available to allocate every number from 10.20.30.000 to 10.20.30.255.
ISPs, in turn, keep a record of which of their customers have been assigned which numbers.
When the police got the three IP addresses from Google, they could immediately look up which ISPs owned the blocks in which those numbers sat. They then had to get from the ISPs which computers had those numbers assigned at that particular time.
So in summary, the web site owner can tell the police the IP address of the criminal. ICANN tells the police which ISP controls that address, and the ISP tells the police precisely which computer was using the address at the moment of the crime.
IP addresses are, therefore, very much like fingerprints on the internet.