Image metadata unmasks botmaster?

Yesterday I wrote about an interesting Washington Post interview with a botmaster, going by the online handle of "0x80”, who claims to control around 2,000 PCs across the globe, which he uses to bombard users with spyware.

Now it seems that the Brian Kreb’s article may have given away a little more about the location of our web malcontent than was originally intended.

The article contained some scene setting snippets about the botmaster’s location. We know, for example, that he lives at home with his parents in a small town in Middle America, where the nearest businesses are a used-car lot, a gas station/convenience store and a strip club. Ok, not too much to go on here as this could be one of any number of towns.

But then Slashdot readers got on the case and things started to unravel. A cropped photo, presumably of 0x80, which was originally published with the article but now taken down, when downloaded revealed metadata that showed the photo was taken in the town of Roland, which has a population of just 3,000.

SLUG: mag/hacker

DATE: 12/19/2005

PHOTOGRAPHER: Sarah L. Voisin/TWP

id#: LOCATION: Roland, OK

CAPTION:

PICTURED: Canon Canon EOS 20D

Adobe Photoshop CS2 Macintosh 2006:02:16 15:44:49 Sarah L. Voisin

You can see the picture in question here.

Given that we also know from the article that 0x80 is male, in his early 20s, and lives near a strip joint, where claims to have spent $800 recently, it should mean tracking him down is within the means of even the most intellectually challenged of law enforcement officers.

Intriguingly, however, someone purporting to be 0x80 in a comment on another of Kreb’s blog postings claims:

funny is that that is way off from where i reside apprently from what i gathered from brian kreps was it was old metadata so im still safe. haha i guess luck is on my side :)

If this comment really is from 0x80, it could, of course, be nothing more than a desperate bit of bravado and Krebs himself has done little to play the issue, only commenting that he is aware of what has happened. The mystery deepens.

Some are speculating the paper could face liability problems if 0x80 is unmasked but whatever the outcome it’s a useful reminder to us all that digital files can reveal far more information than you bargained for.