I was doing some private research into Facebook shadow profiles (you should look them up; they're a horrific violation of privacy) when I came across a site distributing something called Z-Shadow. It's a tool for acquiring usernames and passwords for Facebook, Google and other sites. As far as I can see, it creates realistic "shadow" sites to which phishing emails can link.

Subsequently I found a number of other sites which make Z-Shadow available or describe how to use it. How come sites like this exist? Surely identity fraud and password theft are illegal in in all jurisdictions.

And you think the Zuckerborg cares about the law?

Z-Shadow has nothing to do with Zuckerberg! Facebook is their target -- their preferred target because it contains more data on its hapless users than any other site. Once you have cracked someone's Facebook account, you have everything you need to steal their identity.

The point I was making is that phishing, site cracking and identity theft are crimes in most if not all countries, so how come the police allow these sites to proliferate? Shouldn't they be tracing the people who create and use them and locking them up, along with whoever wrote the software in the first place?

Location, location, location. Budgets. If danger is involved. Easier to write a traffic ticket. Lot's of reasons.

I had never heard of it before but you're right. It's easy enough to find info on using it. Not that I'm interested.

Why is MetaSploit allowed to exist? Man-in-the-middle proxy? Or for that matter, Kali Linux? How much legit "penetration testing" is done with Kali compared to less laudable activities? A very small percentage I suspect.

You can google up numerous .pdf files on just about any form of hacking you can think of and there will always be people inclined to those types of activities. Before there were personal computers there was phone phreaking.

The WikiPedia article on "Phreaking" is an entertaining read. In addition to the whistles sold in boxes of breakfast cereal, early computers were immediately being programmed to generate the increasingly complex tone signals used by phone networks of those days. Some things just don't change.

I am well aware of Captain Crunch and his genius with a whistle from a box of cereal. But that's only part of what makes up phone phreaking.

Cordless phones used 10 frequencies in the 46MHz range and 10 in the 49MHz range. With a multiband ground plane mounted on the roof they could be picked up for blocks. Baby monitors worked on the same range

Until cell phones came out scanners were capable of picking up signals in the 800MHz range, then they blocked it so you couldn't listen to cell phones. That is unless you had a scanner with dual conversion and picked up images of the transmission at twice the Intermediate Frequency of the scanner. The police also used cellphones to call from car to car if they didn't want something over the radio.

Some local Local law Enforcement in those days used voice inversion to scramble what they didn't want your average Radio Shack Joe to listen to, maybe something like asking another officer for the password for the State Police website. A readily available descrambler hooked to the external speaker outlet inline with an external speaker defeats it and transmissions are heard in the clear. The FBI used a different technology (digital as opposed to analog) referred to as "bubble machines".

Body wires work on the same principal. Anyone set up for it within a couple blocks of the Drug Taskforce could hear it the instant they turned on the wire to check if it was working, make the buy and the dealer was no the wiser. Going to jail, but happy as a clam ATM. A techy fellow might even be able to record such events live.

Or so I heard. I think this is what they were talking about.

Phone phreaking was harmless. It robbed the telephone companies of some income but it was really a victimless crime. I don't think there is any moral equivalence with cracking people's Facebook logins so that you can steal their identity (and probably most of their money too). People who do that kind of thing are scum and the police ought to be doing more to take down sites that encourage it.

Right but anybody that's stupid enough to "post" that information in the first place.... While I don't support those sites in ANY way(never heard about them until now), I think that the "victims" brought it upon themselves. I mean get real, I don't need to know what you're eating tonight...also where....

Did I make a moral equivalency to cracking a Facebook account and phone phreaking? Not that I'm aware of, unless my generalization of "those types of activities" is what you meant.

Perhaps it was that you didn't want to address the existence of Kali. Try searching "kali linux facebook hack 2018" and see what Google brings up.

I suppose Kali is a two-edged sword. It can be used to do a lot of damage, but on the other hand sysadmins of big sites do need a tool to test their server security to destruction. I can't see any white-hat use for Z-Shadow. And the sites that I have seen are frankly criminal.

I was listening to the beeb overnight the other night, and one of the correspondents made the interesting point that Snowden exposed the fact that the governments are using the mega companies to do the surveillance for them. For no cost, and no voter back-lash.
Don't expect a crackdown from the legislators any time soon.

Well, sooner or sooner, we're going to have to have both domestic laws and international treaties to define the legal environment of the Internet. It's baffling to me why we don't have such things yet.

Care to tell us how you come to learn of this?

I think the UN already tried to take over control of the Internet and failed.

Really? And how exactly are individual country's going to control the Internet? How exactly are individual country's going to be able to take action against a site that's not within it's borders? Why are all country's going to respect a "international treaty", particularly country's that use it for cyber attacks against other country's ?

Let me guess, Russia's completely innocent and it's just the "west" playing silly buggers?

Which is in fact a straw man argument.

You've already made the case that the WWW pretty much 'transcends' nation states, in that any state attempting to legislate will only really ever censor (as is already the case in some countries).

So someone appearing to be attacking from e.g. Russia could be pretty much, well anyone and not necessarily state sponsored (or even in Russia for that matter).