171 stories

Tracking Firm LocationSmart Leaked Location Data for Customers of All Major U.S. Mobile Carriers Without Consent in Real Time Via Its Web Site

1 Comment

LocationSmart, a U.S. based company that acts as an aggregator of real-time data about the precise location of mobile phone devices, has been leaking this information to anyone via a buggy component of its Web site — without the need for any password or other form of authentication or authorization — KrebsOnSecurity has learned. The company took the vulnerable service offline early this afternoon after being contacted by KrebsOnSecurity, which verified that it could be used to reveal the location of any AT&T, Sprint, T-Mobile or Verizon phone in the United States to an accuracy of within a few hundred yards.

On May 10, The New York Times broke the news that a different cell phone location tracking company called Securus Technologies had been selling or giving away location data on customers of virtually any major mobile network provider to a sheriff’s office in Mississippi County, Mo.

On May 15, ZDnet.com ran a piece saying that Securus was getting its data through an intermediary — Carlsbad, CA-based LocationSmart.

Wednesday afternoon Motherboard published another bombshell: A hacker had broken into the servers of Securus and stolen 2,800 usernames, email addresses, phone numbers and hashed passwords of authorized Securus users. Most of the stolen credentials reportedly belonged to law enforcement officers across the country — stretching from 2011 up to this year.

Several hours before the Motherboard story went live, KrebsOnSecurity heard from Robert Xiao, a security researcher at Carnegie Mellon University who’d read the coverage of Securus and LocationSmart and had been poking around a demo tool that LocationSmart makes available on its Web site for potential customers to try out its mobile location technology.

LocationSmart’s demo is a free service that allows anyone to see the approximate location of their own mobile phone, just by entering their name, email address and phone number into a form on the site. LocationSmart then texts the phone number supplied by the user and requests permission to ping that device’s nearest cellular network tower.

Once that consent is obtained, LocationSmart texts the subscriber their approximate longitude and latitude, plotting the coordinates on a Google Street View map. [It also potentially collects and stores a great deal of technical data about your mobile device. For example, according to their privacy policy that information “may include, but is not limited to, device latitude/longitude, accuracy, heading, speed, and altitude, cell tower, Wi-Fi access point, or IP address information”].

But according to Xiao, a PhD candidate at CMU’s Human-Computer Interaction Institute, this same service failed to perform basic checks to prevent anonymous and unauthorized queries. Translation: Anyone with a modicum of knowledge about how Web sites work could abuse the LocationSmart demo site to figure out how to conduct mobile number location lookups at will, all without ever having to supply a password or other credentials.

“I stumbled upon this almost by accident, and it wasn’t terribly hard to do,” Xiao said. “This is something anyone could discover with minimal effort. And the gist of it is I can track most peoples’ cell phone without their consent.”

Xiao said his tests showed he could reliably query LocationSmart’s service to ping the cell phone tower closest to a subscriber’s mobile device. Xiao said he checked the mobile number of a friend several times over a few minutes while that friend was moving. By pinging the friend’s mobile network multiple times over several minutes, he was then able to plug the coordinates into Google Maps and track the friend’s directional movement.

“This is really creepy stuff,” Xiao said, adding that he’d also successfully tested the vulnerable service against one Telus Mobility mobile customer in Canada who volunteered to be found.

Before LocationSmart’s demo was taken offline today, KrebsOnSecurity pinged five different trusted sources, all of whom gave consent to have Xiao determine the whereabouts of their cell phones. Xiao was able to determine within a few seconds of querying the public LocationSmart service the near-exact location of the mobile phone belonging to all five of my sources.

LocationSmart’s demo page.

One of those sources said the longitude and latitude returned by Xiao’s queries came within 100 yards of their then-current location. Another source said the location found by the researcher was 1.5 miles away from his current location. The remaining three sources said the location returned for their phones was between approximately 1/5 to 1/3 of a mile at the time.

Reached for comment via phone, LocationSmart Founder and CEO Mario Proietti said the company was investigating.

“We don’t give away data,” Proietti said. “We make it available for legitimate and authorized purposes. It’s based on legitimate and authorized use of location data that only takes place on consent. We take privacy seriously and we’ll review all facts and look into them.”

LocationSmart’s home page features the corporate logos of all four the major wireless providers, as well as companies like Google, Neustar, ThreatMetrix, and U.S. Cellular. The company says its technologies help businesses keep track of remote employees and corporate assets, and that it helps mobile advertisers and marketers serve consumers with “geo-relevant promotions.”

LocationSmart’s home page lists many partners.

It’s not clear exactly how long LocationSmart has offered its demo service or for how long the service has been so permissive; this link from archive.org suggests it dates back to at least January 2017. This link from The Internet Archive suggests the service may have existed under a different company name — loc-aid.com — since mid-2011, but it’s unclear if that service used the same code. Loc-aid.com is one of four other sites hosted on the same server as locationsmart.com, according to Domaintools.com.

LocationSmart’s privacy policy says the company has security measures in place…”to protect our site from the loss or misuse of information that we have collected. Our servers are protected by firewalls and are physically located in secure data facilities to further increase security. While no computer is 100% safe from outside attacks, we believe that the steps we have taken to protect your personal information drastically reduce the likelihood of security problems to a level appropriate to the type of information involved.”

But these assurances may ring hollow to anyone with a cell phone who’s concerned about having their physical location revealed at any time. The component of LocationSmart’s Web site that can be abused to look up mobile location data at will is an insecure “application programming interface” or API — an interactive feature designed to display data in response to specific queries by Web site visitors.

Although the LocationSmart’s demo page required users to consent to having their phone located by the service, LocationSmart apparently did nothing to prevent or authenticate direct interaction with the API itself.

API authentication weaknesses are not uncommon, but they can lead to the exposure of sensitive data on a great many people in a short period of time. In April 2018, KrebsOnSecurity broke the story of an API at the Web site of fast-casual bakery chain PaneraBread.com that exposed the names, email and physical addresses, birthdays and last four digits of credit cards on file for tens of millions of customers who’d signed up for an account at PaneraBread to order food online.

In a May 9 letter sent to the top four wireless carriers and to the U.S. Federal Communications Commission in the wake of revelations about Securus’ alleged practices, Sen. Ron Wyden (D-Ore.) urged all parties to take “proactive steps to prevent the unrestricted disclosure and potential abuse of private customer data.”

“Securus informed my office that it purchases real-time location information on AT&T’s customers — through a third party location aggregator that has a commercial relationship with the major wireless carriers — and routinely shares that information with its government clients,” Wyden wrote. “This practice skirts wireless carrier’s legal obligation to be the sole conduit by which the government may conduct surveillance of Americans’ phone records, and needlessly exposes millions of Americans to potential abuse and unchecked surveillance by the government.”

Securus, which reportedly gets its cell phone location data from LocationSmart, told The New York Times that it requires customers to upload a legal document — such as a warrant or affidavit — and to certify that the activity was authorized. But in his letter, Wyden said “senior officials from Securus have confirmed to my office that it never checks the legitimacy of those uploaded documents to determine whether they are in fact court orders and has dismissed suggestions that it is obligated to do so.”

Securus did not respond to requests for comment.


It remains unclear what, if anything, AT&T, Sprint, T-Mobile and Verizon plan to do about any of this. A third-party firm leaking customer location information not only would almost certainly violate each mobile providers own stated privacy policies, but the real-time exposure of this data poses serious privacy and security risks for virtually all U.S. mobile customers (and perhaps beyond, although all my willing subjects were inside the United States).

None of the major carriers would confirm or deny a formal business relationship with LocationSmart, despite LocationSmart listing them each by corporate logo on its Web site.

AT&T spokesperson Jim Greer said AT&T does not permit the sharing of location information without customer consent or a demand from law enforcement.

“If we learn that a vendor does not adhere to our policy we will take appropriate action,” Greer said.

T-Mobile referred me to their privacy policy, which says T-Mobile follows the “best practices” document (PDF) for subscriber location data as laid out by the CTIA, the international association for the wireless telecommunications industry.

A T-Mobile spokesperson said that after receiving Sen. Wyden’s letter, the company quickly shut down any transaction of customer location data to Securus.

“We are continuing to investigate this matter,” a T-Mobile spokesperson wrote via email. T-Mobile has not yet responded to requests specifically about LocationSmart.

Verizon also referred me to their privacy policy.

Sprint officials shared the following statement:

“Protecting our customers’ privacy and security is a top priority, and we are transparent about our Privacy Policy. To be clear, we do not share or sell consumers’ sensitive information to third parties. We share personally identifiable geo-location information only with customer consent or in response to a lawful request such as a validated court order from law enforcement.”

“We will answer the questions raised in Sen. Wyden’s letter directly through appropriate channels. However, it is important to note that Sprint’s relationship with Securus does not include data sharing, and is limited to supporting efforts to curb unlawful use of contraband cellphones in correctional facilities.”


Stephanie Lacambra, a staff attorney with the the nonprofit Electronic Frontier Foundation, said that wireless customers in the United States cannot opt out of location tracking by their own mobile providers. For starters, carriers constantly use this information to provide more reliable service to the customers. Also, by law wireless companies need to be able to ascertain at any time the approximate location of a customer’s phone in order to comply with emergency 911 regulations.

But unless and until Congress and federal regulators make it more clear how and whether customer location information can be shared with third-parties, mobile device customers may continue to have their location information potentially exposed by a host of third-party companies, Lacambra said.

“This is precisely why we have lobbied so hard for robust privacy protections for location information,” she said. “It really should be only that law enforcement is required to get a warrant for this stuff, and that’s the rule we’ve been trying to push for.”

Chris Calabrese is vice president of the Center for Democracy & Technology, a policy think tank in Washington, D.C. Calabrese said the current rules about mobile subscriber location information are governed by the Electronic Communications Privacy Act (ECPA), a law passed in 1986 that hasn’t been substantially updated since.

“The law here is really out of date,” Calabrese said. “But I think any processes that involve going to third parties who don’t verify that it’s a lawful or law enforcement request — and that don’t make sure the evidence behind that request is legitimate — are hugely problematic and they’re major privacy violations.”

“I would be very surprised if any mobile carrier doesn’t think location information should be treated sensitively, and I’m sure none of them want this information to be made public,” Calabrese continued. “My guess is the carriers are going to come down hard on this, because it’s sort of their worst nightmare come true. We all know that cell phones are portable tracking devices. There’s a sort of an implicit deal where we’re okay with it because we get lots of benefits from it, but we all also assume this information should be protected. But when it isn’t, that presents a major problem and I think these examples would be a spur for some sort of legislative intervention if they weren’t fixed very quickly.”

For his part, Xiao says we’re likely to see more leaks from location tracking companies like Securus and LocationSmart as long as the mobile carriers are providing third party companies any access to customer location information.

“We’re going to continue to see breaches like this happen until access to this data can be much more tightly controlled,” he said.

Read the whole story
2 days ago
I'm sure the lowest bidding contractor that administers government backdoors would never be this lax on security.
Share this story

Virginia Beach Police Want Encrypted Radios

1 Comment and 2 Shares

This article says that the Virginia Beach police are looking to buy encrypted radios.

Virginia Beach police believe encryption will prevent criminals from listening to police communications. They said officer safety would increase and citizens would be better protected.

Someone should ask them if they want those radios to have a backdoor.

Read the whole story
9 days ago
Share this story
1 public comment
5 days ago
"Someone should ask them if they want those radios to have a backdoor."

Securing Elections


Elections serve two purposes. The first, and obvious, purpose is to accurately choose the winner. But the second is equally important: to convince the loser. To the extent that an election system is not transparently and auditably accurate, it fails in that second purpose. Our election systems are failing, and we need to fix them.

Today, we conduct our elections on computers. Our registration lists are in computer databases. We vote on computerized voting machines. And our tabulation and reporting is done on computers. We do this for a lot of good reasons, but a side effect is that elections now have all the insecurities inherent in computers. The only way to reliably protect elections from both malice and accident is to use something that is not hackable or unreliable at scale; the best way to do that is to back up as much of the system as possible with paper.

Recently, there have been two graphic demonstrations of how bad our computerized voting system is. In 2007, the states of California and Ohio conducted audits of their electronic voting machines. Expert review teams found exploitable vulnerabilities in almost every component they examined. The researchers were able to undetectably alter vote tallies, erase audit logs, and load malware on to the systems. Some of their attacks could be implemented by a single individual with no greater access than a normal poll worker; others could be done remotely.

Last year, the Defcon hackers' conference sponsored a Voting Village. Organizers collected 25 pieces of voting equipment, including voting machines and electronic poll books. By the end of the weekend, conference attendees had found ways to compromise every piece of test equipment: to load malicious software, compromise vote tallies and audit logs, or cause equipment to fail.

It's important to understand that these were not well-funded nation-state attackers. These were not even academics who had been studying the problem for weeks. These were bored hackers, with no experience with voting machines, playing around between parties one weekend.

It shouldn't be any surprise that voting equipment, including voting machines, voter registration databases, and vote tabulation systems, are that hackable. They're computers -- often ancient computers running operating systems no longer supported by the manufacturers -- and they don't have any magical security technology that the rest of the industry isn't privy to. If anything, they're less secure than the computers we generally use, because their manufacturers hide any flaws behind the proprietary nature of their equipment.

We're not just worried about altering the vote. Sometimes causing widespread failures, or even just sowing mistrust in the system, is enough. And an election whose results are not trusted or believed is a failed election.

Voting systems have another requirement that makes security even harder to achieve: the requirement for a secret ballot. Because we have to securely separate the election-roll system that determines who can vote from the system that collects and tabulates the votes, we can't use the security systems available to banking and other high-value applications.

We can securely bank online, but can't securely vote online. If we could do away with anonymity -- if everyone could check that their vote was counted correctly -- then it would be easy to secure the vote. But that would lead to other problems. Before the US had the secret ballot, voter coercion and vote-buying were widespread.

We can't, so we need to accept that our voting systems are insecure. We need an election system that is resilient to the threats. And for many parts of the system, that means paper.

Let's start with the voter rolls. We know they've already been targeted. In 2016, someone changed the party affiliation of hundreds of voters before the Republican primary. That's just one possibility. A well-executed attack that deletes, for example, one in five voters at random -- or changes their addresses -- would cause chaos on election day.

Yes, we need to shore up the security of these systems. We need better computer, network, and database security for the various state voter organizations. We also need to better secure the voter registration websites, with better design and better internet security. We need better security for the companies that build and sell all this equipment.

Multiple, unchangeable backups are essential. A record of every addition, deletion, and change needs to be stored on a separate system, on write-only media like a DVD. Copies of that DVD, or -- even better -- a paper printout of the voter rolls, should be available at every polling place on election day. We need to be ready for anything.

Next, the voting machines themselves. Security researchers agree that the gold standard is a voter-verified paper ballot. The easiest (and cheapest) way to achieve this is through optical-scan voting. Voters mark paper ballots by hand; they are fed into a machine and counted automatically. That paper ballot is saved, and serves as a final true record in a recount in case of problems. Touch-screen machines that print a paper ballot to drop in a ballot box can also work for voters with disabilities, as long as the ballot can be easily read and verified by the voter.

Finally, the tabulation and reporting systems. Here again we need more security in the process, but we must always use those paper ballots as checks on the computers. A manual, post-election, risk-limiting audit varies the number of ballots examined according to the margin of victory. Conducting this audit after every election, before the results are certified, gives us confidence that the election outcome is correct, even if the voting machines and tabulation computers have been tampered with. Additionally, we need better coordination and communications when incidents occur.

It's vital to agree on these procedures and policies before an election. Before the fact, when anyone can win and no one knows whose votes might be changed, it's easy to agree on strong security. But after the vote, someone is the presumptive winner -- and then everything changes. Half of the country wants the result to stand, and half wants it reversed. At that point, it's too late to agree on anything.

The politicians running in the election shouldn't have to argue their challenges in court. Getting elections right is in the interest of all citizens. Many countries have independent election commissions that are charged with conducting elections and ensuring their security. We don't do that in the US.

Instead, we have representatives from each of our two parties in the room, keeping an eye on each other. That provided acceptable security against 20th-century threats, but is totally inadequate to secure our elections in the 21st century. And the belief that the diversity of voting systems in the US provides a measure of security is a dangerous myth, because few districts can be decisive and there are so few voting-machine vendors.

We can do better. In 2017, the Department of Homeland Security declared elections to be critical infrastructure, allowing the department to focus on securing them. On 23 March, Congress allocated $380m to states to upgrade election security.

These are good starts, but don't go nearly far enough. The constitution delegates elections to the states but allows Congress to "make or alter such Regulations". In 1845, Congress set a nationwide election day. Today, we need it to set uniform and strict election standards.

This essay originally appeared in the Guardian.

Read the whole story
30 days ago
Share this story

In Fedora, your initramfs contains a copy of your sysctl settings

1 Share

It all started when I discovered that my office workstation had wound up with its maximum PID value set to a very large number (as mentioned in passing in this entry). I managed to track this down to a sysctl.d file from Fedora's ceph-osd RPM package, which I had installed for reasons that are not entirely clear to me. That was straightforward. So I removed the package, along with all of the other ceph packages, and rebooted for other reasons. To my surprise, this didn't change the setting; I still had a kernel.pid_max value of 4194304. A bunch of head scratching ensued, including extreme measures like downloading and checking the Fedora systemd source. In the end, the culprit turned out to be my initramfs.

In Fedora, dracut copies sysctl.d files into your initramfs when it builds one (generally when you install a kernel update), and there's nothing that forces an update or rebuild of your initramfs when something modifies what sysctl.d files the system has or what they contain. Normally this is relatively harmless; you will have sysctl settings applied in the initramfs and then reapplied when sysctl runs a second time as the system is booting from your root filesystem. If you added new sysctl.d files or settings, they won't be in the initramfs but they'll get set the second time around. If you changed sysctl settings, the initramfs versions of the sysctl.d files will set the old values but then your updated settings will get set the second time around. But if you removed settings, nothing can fix that up; the old initramfs version of your sysctl.d file will apply the setting, and nothing will override it later.

(In Fedora 27's Dracut, this is done by a core systemd related Dracut module in /usr/lib/dracut/modules.d, 00systemd/module-setup.sh.)

It's my view that this behavior is dangerous. As this incident and others have demonstrated, any time that normal system files get copied into initramfs, you have the chance that the live versions will get out of sync with the versions in initramfs and then you can have explosions. The direct consequence of this is that you should strive to put as little in initramfs as possible, in order to minimize the chances of problems and confusion. Putting a frozen copy of sysctl.d files into the initramfs is not doing this. If there are sysctl settings that have to be applied in order to boot the system, they should be in a separate, clearly marked area and only that area should go in the initramfs.

(However, our Ubuntu 16.04 machines don't have sysctl.d files in their initramfs, so this behavior isn't universal and probably isn't required by either systemd or booting in general.)

Since that's not likely to happen any time soon, I guess I'm just going to have to remember to rebuild my initramfs any time I remove a sysctl setting. More broadly, I should probably adopt a habit of preemptively rebuilding my initramfs any time something inexplicable is going on, because that might be where the problem is. Or at least I should check what the initramfs contains, just in case Fedora's dracut setup has decided to captured something.

(It's my opinion that another sign that this is a bad idea in general is there's no obvious package to file a bug against. Who is at fault? As far as I know there's no mechanism in RPM to trigger an action when files in a certain path are added, removed, or modified, and anyway you don't necessarily want to rebuild an initramfs by surprise.)

PS: For extra fun you actually have multiple initramfses; you have one per installed kernel. Normally this doesn't matter because you're only using the latest kernel and thus the latest initramfs, but if you have to boot an earlier kernel for some reason the files captured in its initramfs may be even more out of date than you expect.

Read the whole story
71 days ago
Share this story

Kenneth Eng Is On The Other Side of Viral Now


Kenneth Eng is on the other side of viral now, where it's hard to see him.

11 years ago, in 2007, it was easy to see him. He achieved a brief burst of viral infamy for writing a column titled "Why I Hate Blacks," inexplicably published by the now-defunct AsianWeek. He had every quality we require for online notoriety: he did something we feel good about hating, his response to criticism was unrepentant and odd (he defended his column and declared himself an "Asian Supremacist"), and a little digging into his background revealed things we could easily mock, like his authorship of really awful science fiction:

[The Darkaeon] slashes the Universe with a blade of dark flame.


He experienced — and perhaps enjoyed — widespread condemnation and ridicule in blogs and forums, and on sites like Wired and Gawker. A few months later, he enjoyed a short resurgence of infamy when he was arrested for bizarre threats, making the pages of the New York Post and the Village Voice. Then, like a uninspired meme, he slipped from our consciousness, making room for the next freak-of-the-week and the next and the next after that.

Where do people like Kenneth Eng come from, and where do they go after their virality pops like a soap bubble? Surely they differ. But Kenneth Eng came from mental illness, to which he returned. How many other people we gawk at are like him?

The cover of Kenneth Eng's book.

Kenneth Eng's journey to fame and back takes on a very different tone when you start at the beginning rather than in the middle.

Eng is schizophrenic. This is how his lawyer described it in 2008, seeking a probationary sentence on federal threat charges:

Mr. Eng suffers from schizophrenia, a severe, lifelong disorder. He takes an anti-psychotic, with strong side-effects. Yet, with a somewhat grim prognosis for a lifelong affliction, the report notes Mr. Eng is making fair progress on treatment goals. The fact that he is making progress bodes well for him.

Counsel has noted a remarkable softening of Mr. Eng’s affect since he entered the treatment environment. Conversations with him are rather pleasant.

His severe mental illness was well-known years before his brush with modern fame. In 2003, he enraged and terrified fellow students, professors, and administrators at NYU, where he studied film. We know this because he attached much of the NYU email correspondence to his 2014 pro se federal civil rights complaint against everyone he could remember from NYU ten years before. Eng's version of events is not particularly exculpatory: he claims he was mistreated for refusing to work with "Negroes," for using racial epithets, and for proclaiming that he worships Hitler. He also claims to be the victim of anti-Asian racism, but his complaint is full of patently paranoid, bizarre conclusions, and hints at how terrifying he could be to others:

For the past 3769 days, I have wondered about what it would feel like to exact my revenge on this cowardly woman. I will never recover from the damage she and her ethnic group have inflicted on me, and the pain I feel every day because of cravens like her.

The NYU emails he attaches suggest what it was like for the people around him. "I want to go on record that keeping Kenneth could have serious repercussions," wrote one administrator. "It is my belief that Kenneth poses a real threat to the [NYU] community and has the capacity to harm or kill someone," said another. One professor told of getting an insulting, threatening call at home from Eng; another told of two students "so terrified" that they locked the classroom door after Eng left after a heated dispute. This was not always the case: one professor found him "intelligent, creative, talented, and fun to have as part of our class." But expressions of concern soon outweighed these positive reports. Eng was erratic, confrontational, sometimes incoherent, floridly racist, threatening, and generally a nightmare to those around him.

In 2004, after a confrontation in a NYU counseling session, the NYPD detained him and transported him to Bellevue Hospital, forcibly medicated him, and confined him for two weeks. We know this because in 2006 he convinced attorneys to file a civil rights lawsuit on his behalf against New York authorities. Eng dropped the suit based on an undisclosed settlement in 2007. That is the last time, as far as I can tell, that lawyers sued on his behalf; his many subsequent lawsuits are all pro se. But it was not the only time he was confined at Bellevue; he was committed again in 2009. He complains of that confinement in a 2014 pro se civil rights complaint replete with assertions that he was mistreated because he is Asian, because of his racial views, and because he was confined with African-Americans.

A wired article on Eng, typical of the tone of coverage of him.

We all knew perfectly well in 2007 that Kenneth Eng was crazy. But we pointed and laughed anyway.

I knew. I had no excuse not to know. Looking back at forum comments (it was before the time of this now-venerable blog), I see that I referred to him as crazy. That did not leaven my ridicule.

Eng, who was clearly not successfully treated by Bellevue, somehow won a columnist position with AsianWeek. This is consistent with the accounts of many who said he could be brilliant, articulate, and dedicated. He wrote his loathsome and bigoted column, and the paper made the inexcusable decision to publish it. Spectacle followed. Eng doubled down again and again, affirming his racism and proclaiming himself an "Asian supremacist." Journalists and bloggers gleefully dug up his science fiction and his imperious communications promoting it.

The coverage does not age well in light of what we know about Eng's schizophrenia. We knew that he was crazy, but only envisioned him as crazy in an entertaining way. "Deep Inside Kenneth Eng's Brain With His Unfinished Screenplay," teased Wired, promising an "obscure literary treat," and mocking his writing at length. The same author collected what she called "gossip" from NYU and confessed herself "fascinated" with Eng's "bizarre career," concluding "Yup, Eng truly is 'God.' Too bad he gets called names when he leaves the house once a month. Now you too can read his work." Eng later harassed the author, who penned a follow-up telling him he should "chill out." Gawker called him a "wacky Asian racist" in a column detailing his second arrest for bizarre threats. Gawker — which had a Kenneth Eng tag — maintained that tone throughout 2007. "Remember Kenneth Eng of 'Why I Hate Blacks' fame? He sure hopes you do" chortled Gawker when Eng gave an interview saying he thought and hoped he had inspired the massacre at Virginia Tech.

Fox News invited Eng on television to explain himself. The resulting interview is, in retrospect, sick and excruciating.

A few months later, Eng hit the news again when Village Voice published an interview in which he celebrated the Virginia Tech massacre and, decrying racism against Asians, proclaimed he would have done the same thing at NYU if he could have afforded a gun. The Village Voice's tone is no longer quite so jolly, but still strikes me as oddly detached. Eng got more publicity when he was arrested, prosecuted, and sentenced to therapy for threatening a neighboring family with a hammer. This news did not notably change the tone of coverage of Eng. Angry Asian Man (which, as a parent of Asian-American kids, I find to be an indispensable source of information about Asian-American struggles with racism, culture, and advocacy) reported on Eng's new legal troubles rather lightly, referring to him as "everyone's favorite "Asian Supremacist'" "the dragon master," and "krazy-ass Kenny."

But someone was genuinely concerned about Eng's deterioration — his family, and oddly, the federal criminal justice system.

The caption to the federal criminal complaint against Eng.

"Kenneth Eng Threatened A 'White Pussy' With Violence," the Village Voice leered when federal officials took him into custody after his state conviction. The feds — through the United States Attorney's Office for the Southern District of New York — prosecuted Eng for an incident years before during his troubles at NYU. The affidavit in support of the federal criminal complaint tells the tale: in 2004 Eng got into a confrontation with another student at NYU who objected to Eng derisively calling another classmate a "Negro," Eng spat in the classmate's face and called him a "white pussy," and in 2005 Eng called the classmate and jeered at him "remember me? I'm the one who spit at you." This call formed the basis of a felony charge of threats through interstate communication.

Two things are clear from the complaint. First, the feds were deeply concerned about Eng. The phone call is an extremely marginal basis for a charge, as they would soon see. And the complaint has information about Eng's Virginia Tech rant, even though that happened years after the charged offense. In looking at the record, it's clear that the feds, Eng's parents, Eng's lawyers, Eng's doctors, and an extremely cooperative federal court were using the prosecution as an instrument to compel Eng to submit to ongoing treatment. Eng's parents had the resources to post a $500,000 bail in one of his state cases and to hire a series of lawyers and psychiatrists, and the government's resources, of course, are formidable. The record reveals six years of everyone involved going to extraordinary lengths to make Eng get treatment, to deal with his relapses and outbursts, and to help him.

But it was not enough.

The first problem, oddly, was legal. Eng fairly rapidly agreed to plead guilty to the charge in exchange for five years probation. But the court, after very thoughtful analysis, rejected the plea, finding that it lacked a factual basis because the mocking call was not a "true threat" and therefore not a violation of the statute. True threats, as Popehat readers know, are threats that are intended, and reasonably interpreted, to be expressions of genuine intent to do harm. Here, Eng called his victim and made fun of him for having previously spit on him. The judge decided, not unreasonably, that nothing about that was a threat of future harm.

At this point, in a standard scenario, the government would have appealed the determination or the defense would have tried to convince the government or the court to dismiss the charges. This was not a standard scenario. Eng eventually agreed to plead guilty to a misdemeanor charge of interfering with someone's right to education through intimidation. The goal remained the same — his family, his lawyers, his doctors, and the government wanted him to get a sentence of probation with mandatory treatment. When the probation office recommended jail time, the government argued vociferously against it, supported by Eng's own lawyer's bleak assessment of his illness. Let me assure you as a federal criminal defense attorney that this is not a typical course of events.

Eng got his probation and his mandatory treatment. But the next five years were fraught with the sort of repeated problems we should expect with an intractable mental illness. Eng fell in and out of treatment, he was repeatedly cited for probation violations. He was arrested and prosecuted by New York authorities for harassment and stalking, which led to more federal probation violations. The attorneys, doctors, and the judge made extraordinary efforts to avoid prolonged incarceration and to continue treatment — the judge held multiple hearings with physician testimony.

Everyone did everything they could.

It was not enough. In wealthiest country in the history of the world, a country with the power of an angry god, with weight of doting affluent parents and lawyers and doctors and an utterly out-of-character criminal justice system, it was not enough. This is, perhaps, the most grim part of the story, grimmer even than our indifference and casual cruelty. If Kenneth Eng can't be helped successfully, what's the hope for the millions out there in worse circumstances, some of them potentially violent? Kenneth Eng didn't slip through the cracks. He got support that, if you described it in a story, I would dismiss as fanciful. What about people without those resources and without that support?

Kenneth Eng's federal probation ended in 2013. We can trace his life for a while thereafter through his campaign of federal lawsuits. He filed two dozen, all pro se, in 2013 and 2014 in federal court in New York. He sued people for posting his books online, and he sued people for using ideas he claimed he invented, like space dragons or the character name "Terrordactyl" and the concept of a sentient universe. It would be easy to laugh at them, as we often laugh at crazy lawsuits, as we laughed at his bizarre racist rants. You'd need a heart of stone not to laugh at Eng v. Philosoraptor. He did, in fact, get a little coverage of these intellectual property suits. There was no coverage of his other suits — the ones claiming racial discrimination, the ones claiming he was discriminated against because he was a racist, the ones engaging in virulent racism and using racial epithets, the ones relitigating his treatment at NYU and Bellevue and Rikers. His vexatious litigation reveals bits of his out-of-court life in 2014. The suits describe his unsuccessful efforts to maintain work in the face of his inability to interact with others, his public confrontations, his repeated brushes with law enforcement, his subsistence on disability and unemployment payments. The quality of his filings steadily degraded, varying from meritless but coherent and neatly typed copyright claims to enraged, barely legible scrawls incorporating racial epithets into the case captions. Courts dismissed all of the suits, usually by refusing to let him file them without filing fees.

When I was a prosecutor, we used to get lawsuits and motions from prisoners. They stank of cigarette smoke, a stink that penetrated the plain manila envelopes containing them. Eng's lawsuits stink of untreated madness. I might ordinarily mock them. I've mocked ones like them before. It's harder after reading about who he was, who he is.

Towards the end of 2014, with the last of his lawsuits dismissed, Kenneth Eng dropped from sight. I can't find more references to him. I do not have the heart to go beyond the web and research whether he is confined, whether he continues to relapse without notice, whether he's even alive. Maybe he's even better. Maybe.

Why are we the way we are? Is Kenneth Eng a schizophrenic whose illness finds expression through florid racism? Or is he a racist asshole who is also schizophrenic? It makes little difference to the people he abused or threatened or assaulted, the people terrified that he would go on a violent spree, or the people repulsed to see the seemingly mainstream AsianWeek publish his racist screed. It is right and fit that we should support those people and acknowledge how they felt, whatever Eng's motives were. It is appropriate to protect them. But how should we treat Kenneth Eng? Not, I think, with carefree laughter.

Kenneth Eng is on the other side of viral now, and it's hard to see him there. But we can still see ourselves, and the view is not always pleasant.

Copyright 2017 by the named Popehat author.
Read the whole story
83 days ago
Share this story

Match Ball

"I was playing around with matches one day and thought about how the heads of matches are slightly larger than the bodies. It got me wondering what would happen if I started gluing them together and never stopped."

"And here is our final result. Green has turned to black, potential has turned to spent, and I am never doing this again."

Previously, previously, previously, previously, previously, previously.

Read the whole story
90 days ago
Share this story
Next Page of Stories