My understanding is that the computer was paid off, they bought it, but the records were screwed up. They, being the rental company, should have had a process in place to un-install the monitoring (agent) software when a rental was actually purchased. Apart from that whole incident I am pointing out the closeness of the situation where a renter defaults or steals the computer compared to an owner installing such theft recovery software himself.
The "agent" running on the computer contacts a server not controlled by the computer's owner. The owner then logs into their account to trigger collection of information about the current user (thief). In both cases a thief will be caught by using surreptitiously collected information while the computer is being used. The differences are;
1) Is someone who defaults on payments the same as a thief?
2) There was apparently no process in place to deactivate the agent when the rented computer was purchased.
This brings up the following questions:
-When someone stops subscribing to Prey, is the agent still active?
-Is the user told how to completely deactivate the agent at that time?
-What mechanism prevents an admin for the Prey server from changing settings for an account and doing some snooping?
-What is to prevent someone lending out such a computer to an unsuspecting soul and doing a little snooping of their own?
-If law enforcement is aware that such software is installed on someone's computer can they do some remote viewing with a wiretap order, search warrant, subpoena, NSL, or none of the above?
The affidavits from 2007 indicate that the CIPAV tool is specific to a MS Windows OS. It looks like they are using a security vulnerability to install this tool on a target machine. That vulnerability could be an unpatched but well known vulnerability or it could be a 0-day vulnerability. Either way, the window (pun intended) for using such a vulnerability may be short and not guaranteed. I see three possibilities:
1). The FBI or some other TLA agency (NSA?) is constantly researching to find new vulnerabilities and updating the CIPAV.
2) The FBI purchases 0-day vulnerabilities on the black market. (Isn't that a fun conspiracy theory?)
3). The FBI has arranged with Microsoft to allow a backdoor for CIPAV to use that is close in functionality to the MS Windows update mechanism.
"Registr y information can be provided by a computer connected to the Internet, for example, when that computer connect to the Internet to request a software upgrade from it's software vendor."
Why is this not a wiretap? The FBI has written code to collect as much information as they can without requiring a wiretap order. So, they are avoiding collecting the contents of messages. Does any of the information they are collecting step over the boundaries of what is considered addressing information available from messages sent through the internet? Information for which the courts have concluded there is no reasonable expectation of privacy.
(from Wired, 2007)
IP address
MAC address of ethernet cards
A list of open TCP and UDP ports
A list of running programs
The operating system type, version and serial number
The default internet browser and version
The registered user of the operating system, and registered company name, if any
The current logged-in user name
The last visited URL
I'll take these one at a time:
IP address: The IP address of your computer, or the IP address of your router (when using NAT) is what is seen in every packet sent and received by your computer. This is clearly not private information.
MAC address of ethernet cards: The MAC address is sent only to other devices on a LAN. Depending on the type of connection to your ISP, a MAC address may or may not be used. If you have a router, your computer's MAC address is not sent on the interface that is the router's connection to the internet. Generally, your computer's MAC address is not sent to the internet. However, it is still just addressing information.
A list of open TCP and UDP ports: It is not clear how this information is acquired. One could scan your computer or router remotely which would give a list of ports that allow reception of requests. However, firewalls usually prevents unsolicited requests, so a true list of active ports requires collecting data internal to the computer. Alternatively, one could deduce the active ports by monitoring traffic from your computer to the internet. Ultimately, such information is just addressing information at the transport protocol level.
A list of running programs: I am assuming this is a list of the user applications and not the processes and threads underlying a program. I am also assuming this list just reflects the programs running from the active user account (the one with the spyware), as one can be logged into multiple accounts simultaneously. Not all programs use the internet. The collection of this information, although still just a high level overview, clearly oversteps the bounds of privacy in my mind.
The operating system type, version and serial number: The operating system type and version is put into every user agent header on every HTTP packet sent. What is not sent is the serial number of the operating system software installed. This is gotten from the Windows Registry (I do believe this tool is specific to MS Windows). This is simply identifying information, but it is not sent out on the internet unless your are doing a Windows update.
The default internet browser and version: This information is in the user agent header used in HTTP. Not private.
The registered user of the operating system, and registered company name, if any: I believe this information is also in the Registry and not generally sent out in any packet to the internet. I think that this information is sent during an MS Windows update but I have not looked this information up or monitored the packets sent during such an update. (Now I'm interested in doing this though). I would consider this private even though it is just identifying information.
The current logged-in user name: This is your account name under Windows. I don't think it is ever sent out in packets though I could be wrong. It is also a Registry item and just identifying information.
The last visited URL: It is interesting that all the rest of the browser history isn't accessed. I suspect they are getting this tidbit also from the Registry. What should be pointed out though is that a URL can contain more information than just a web address and pathname. It can contain private information passed in the "query" field. Also, the fragment identifier (the part after "#") is being used for new things and might contain private information. I would say there is the possibility that a URL can be considered, in part, "contents of a message". Just because it's main use is addressing doesn't eliminate this additional use and doesn't supply an excuse to collect it without a warrant.
I suspect the courts are not looking closely or are not understanding these technical details. This is a slippery slope of expanding identifying and addressing information to actually include content that should be considered private enough to require a warrant or wiretap order. You can learn a hell of a lot about someone if you can monitor all the metadata in their communications. On the opposite end of the stick, the government would like to restrict all sensitive information (SSI) even though any particular piece is not considered classified. This shows me that they recognize the potential danger of metadata when it is accumulated. The restriction of government information is a whole other issue though. I am just pointing out hypocrisy.
Most, if not all, cryptographers do not think that strong encryption algorithms, like AES, has a backdoor. There may be weaknesses known only to the NSA which gives them an advantage by doing slightly better than a brute force attack on the key. However, no one thinks the NSA can currently decrypt a message encrypted with AES-256, for example. You do have to be pretty careful about what you are doing however. The Verona decrypts of Russian communications from WWII, were made possible by repeating the use of a one-time pad. A one-time pad is unbreakable encryption, but you have to use it properly.
I would expect the U.S. to "leak" some more "critical details" within the next two weeks. This should be true, whether or not they really have access to a load of unencrypted emails, as they just need to convince Al Qaeda that this is true.
If you are referring to Private Manning, he did not have access to the Joint Worldwide Intelligence Communications System (JWICS) which carries top secret information. He had access only to SIPRNet.
Mike, you are advocating a distributed and decentralized internet but you have to look more closely at how the internet is currently decentralized and why a P2P architecture has advantages, if any, over other alternatives. Redundancy has been built into large websites by using multiple servers and load sharing between them as well as by using content delivery networks (CDNs). The most common mistake that brings down a website is a software update that wasn't field tested, and a bug brings everything down. It is quite conceivable that a software update, while using a P2P architecture, could be equally effective in bringing the site down. There are many ways to build in redundancy. As far as being a more efficient technology, multicast addressing is certainly more efficient than P2P. IP multicast is already used for stock exchanges and some CDNs. IRC also uses multicast, albeit not IP multicast. A major disadvantage of P2P is that it can cause home routers to crash by overloading the NAT tables. If P2P comes into use for more things, that part of the infrastructure is going to have to be fixed. Finally, while having information not being controlled by a single entity is a desirable goal, I am not sure that P2P solves that issue completely.
I know the government is saying they have the biggest collection of terrorist intelligence ever, but I am wondering why Bin Laden wouldn't have encrypted everything with strong encryption. It's conceivable that he was too arrogant to think he would ever be captured or maybe he was too stupid to think of cryptography. However, Al Qaeda leaders did learn not to carry cell phones, so they can't be that stupid. Osama Bin Laden, in particular, knew the U.S. would never stop trying to find him. So, why wouldn't he assume that would happen eventually and prepare for it. I am wondering if the US isn't just claiming a treasure trove to help flush out any other leadership.
I am curious. Why do you think an investigator license is needed to collect a set of IPs that have participated in a download to the "investigator's" computer? I could download the Expendables and do exactly the same thing.
Re: Re: Re: Stop using the term downloading for uploading
The BitTorrent, peer-to-peer file sharing protocol, uses TCP. TCP is a "reliable" packet transfer protocol and so, uses acknowledgments. Until a set of packets (the window size) is acknowledged by the receiver no more are sent. If you're IP address is still part of the swarm when a download is finished, the downloader can be sure that you're IP was a source, successfully delivering some part of that file.
The investigators find these IP addresses by using BitTorrent to download the movie (file) in question.
Ah, I see that someone else has pointed out that the transmission is activated remotely and the frequency is outside of the cell network. So this particular tracking device stores information and then when queried remotely by say, an FBI can cruising nearby, there is a brief burst of communication.
Transmission generally uses the cell phone network. So, transmission is to the nearest cell phone base station, just like a normal cell phone. The better ones can be set for continuous (actually, regular bursts) transmission or to only transmit when the car is moving. Less transmission saves significantly on battery power.
Are there any trademarks that pertain to all possible categories. Can I not manufacture and sell underwear, made from some nano-technology designed fabric, and call my brand Microsoft? Once having done that can I not register the .microsoft domain even the the (mostly) software company is 10,000 times bigger? I am pretty sure Microsoft is registered for "software" and not "soft wear".
The generic TLDs have no fixed category, and that emphasizes my point. Trademark law cannot guarantee a company has exclusive right to any particular name. Because of that, I am not going to search for something assuming that .microsoft pertains to the company Bill Gates co-founded, and nobody else should either.
I would like to emphasize the distinction between pretending to actually be some other company or individual, as in phishing, versus just using the trademark name or something similar to a trademark name to cash in on the better reputation or more known name to sell your own stuff.
That first kind of nefarious activity is fraud and is covered under other laws so using trademark law is not necessary. For websites, like banks, that really need to be secure, there are technical solutions; use of HTTPS along with digital certificates and use of graphical site identifiers before supplying a password. This is really a more serious crime than just trademark infringement, so why use trademark infringement laws to fight it? Otherwise, you can be reduced to arguing over trivialities about how little a difference there can be in spelling a word before it represents trademark infringement. This is what I meant by saying relying on trademark law is a bad solution.
I am not arguing that trademark law should be abolished. However, it does have a particular problem on the internet. Trademark law allows two, or more, instances of the same name if the products or services are not in the same category, or categories, as specified during registration. On the internet, you don't necessarily know until you arrive at the website what that URL represents. So who has priority on a domain name? Trademark law is not a sufficient solution to solve this problem. In this context, arguing over spelling differences seems especially trivial. Add in the amount of time wasted over things like Godzilla versus bagzilla (Sears) and Godzilla versus Davezilla (who didn't even sell anything) and the whole issue starts to become absurd.
I would argue that adding specific TLD like .travel have the potential to help clear up trademark fights over the same word being used for different things. You can separate them with more TLD categories. I do have reservations about this apart from trademark issues. On the other hand, gTLDs will not help, because a generic TLD is not stuck in any sort of category. The trademark argument again either sort of expansion is that these companies will have to repeat their fights for each new TLD. This doesn't make sense because the law cannot resolve all conflicts anyway and users simply don't search using top level domains explicitly. They generally rely on .com or whatever Google returns for a keyword search. Adding more TLDs won't make any difference.
-The woman who was being tracked by the FBI refused to give the device back when they asked and they just let it go.
-An elderly Arab (US citizen) gentleman had a GPS tracking device installed by his local police department in San Rafael, California. This was in June, 2009 before the 9th circuit decision gave law enforcement clearance to do such tracking without a warrant. The guy had no criminal record, and still doesn't.
(funny coincidence: San Rafael was where science fiction author P. K. Dick lived when his house was broken into and his files stolen back in 1971.)
The problem you are addressing is "nefarious purposes" such as phishing. Relying on trademark law to address this is a bad solution. If a website doesn't match what a user expects, the user then looks to correct that mistake. If I type in whithouse on the address bar, I get whitehouse.com which clearly has nothing to do with the president. If I search for "whitehouse" on Google, the first entry in the response is "whitehouse.gov". As long as you can find what you want without too much difficulty, everything is fine. If a website is so close to what you are looking for that it fools you, then fraud comes into play. There are legal and technical solutions having nothing to do with trademark infringement. My banks have a visual site identifier, unique to me, that I see before I enter a password.
On the post: One Man, One Stolen Laptop... And Twitter, Prey (And A Purple Sarong?) To The Rescue
Re: Re:
On the post: One Man, One Stolen Laptop... And Twitter, Prey (And A Purple Sarong?) To The Rescue
http://www.techdirt.com/articles/20110505/00424214164/laptop-rental-provider-sued-spying-r enters-via-surreptitious-webcam-software.shtml#c326
The "agent" running on the computer contacts a server not controlled by the computer's owner. The owner then logs into their account to trigger collection of information about the current user (thief). In both cases a thief will be caught by using surreptitiously collected information while the computer is being used. The differences are;
1) Is someone who defaults on payments the same as a thief?
2) There was apparently no process in place to deactivate the agent when the rented computer was purchased.
This brings up the following questions:
-When someone stops subscribing to Prey, is the agent still active?
-Is the user told how to completely deactivate the agent at that time?
-What mechanism prevents an admin for the Prey server from changing settings for an account and doing some snooping?
-What is to prevent someone lending out such a computer to an unsuspecting soul and doing a little snooping of their own?
-If law enforcement is aware that such software is installed on someone's computer can they do some remote viewing with a wiretap order, search warrant, subpoena, NSL, or none of the above?
On the post: Some Feds Wanted To Find A Loophole To Avoid Warrants When Using FBI's Homemade Spyware
How is CIPAV installed?
1). The FBI or some other TLA agency (NSA?) is constantly researching to find new vulnerabilities and updating the CIPAV.
2) The FBI purchases 0-day vulnerabilities on the black market. (Isn't that a fun conspiracy theory?)
3). The FBI has arranged with Microsoft to allow a backdoor for CIPAV to use that is close in functionality to the MS Windows update mechanism.
The following is from the FBI's 2007 Timberlinebombinfo affidavit:
http://www.wired.com/images_blogs/threatlevel/files/timberline_affidavit.pdf
"Registr y information can be provided by a computer connected to the Internet, for example, when that computer connect to the Internet to request a software upgrade from it's software vendor."
Let the conspiracy theories begin!
On the post: Some Feds Wanted To Find A Loophole To Avoid Warrants When Using FBI's Homemade Spyware
wiretap?
(from Wired, 2007)
IP address
MAC address of ethernet cards
A list of open TCP and UDP ports
A list of running programs
The operating system type, version and serial number
The default internet browser and version
The registered user of the operating system, and registered company name, if any
The current logged-in user name
The last visited URL
I'll take these one at a time:
IP address: The IP address of your computer, or the IP address of your router (when using NAT) is what is seen in every packet sent and received by your computer. This is clearly not private information.
MAC address of ethernet cards: The MAC address is sent only to other devices on a LAN. Depending on the type of connection to your ISP, a MAC address may or may not be used. If you have a router, your computer's MAC address is not sent on the interface that is the router's connection to the internet. Generally, your computer's MAC address is not sent to the internet. However, it is still just addressing information.
A list of open TCP and UDP ports: It is not clear how this information is acquired. One could scan your computer or router remotely which would give a list of ports that allow reception of requests. However, firewalls usually prevents unsolicited requests, so a true list of active ports requires collecting data internal to the computer. Alternatively, one could deduce the active ports by monitoring traffic from your computer to the internet. Ultimately, such information is just addressing information at the transport protocol level.
A list of running programs: I am assuming this is a list of the user applications and not the processes and threads underlying a program. I am also assuming this list just reflects the programs running from the active user account (the one with the spyware), as one can be logged into multiple accounts simultaneously. Not all programs use the internet. The collection of this information, although still just a high level overview, clearly oversteps the bounds of privacy in my mind.
The operating system type, version and serial number: The operating system type and version is put into every user agent header on every HTTP packet sent. What is not sent is the serial number of the operating system software installed. This is gotten from the Windows Registry (I do believe this tool is specific to MS Windows). This is simply identifying information, but it is not sent out on the internet unless your are doing a Windows update.
The default internet browser and version: This information is in the user agent header used in HTTP. Not private.
The registered user of the operating system, and registered company name, if any: I believe this information is also in the Registry and not generally sent out in any packet to the internet. I think that this information is sent during an MS Windows update but I have not looked this information up or monitored the packets sent during such an update. (Now I'm interested in doing this though). I would consider this private even though it is just identifying information.
The current logged-in user name: This is your account name under Windows. I don't think it is ever sent out in packets though I could be wrong. It is also a Registry item and just identifying information.
The last visited URL: It is interesting that all the rest of the browser history isn't accessed. I suspect they are getting this tidbit also from the Registry. What should be pointed out though is that a URL can contain more information than just a web address and pathname. It can contain private information passed in the "query" field. Also, the fragment identifier (the part after "#") is being used for new things and might contain private information. I would say there is the possibility that a URL can be considered, in part, "contents of a message". Just because it's main use is addressing doesn't eliminate this additional use and doesn't supply an excuse to collect it without a warrant.
I suspect the courts are not looking closely or are not understanding these technical details. This is a slippery slope of expanding identifying and addressing information to actually include content that should be considered private enough to require a warrant or wiretap order. You can learn a hell of a lot about someone if you can monitor all the metadata in their communications. On the opposite end of the stick, the government would like to restrict all sensitive information (SSI) even though any particular piece is not considered classified. This shows me that they recognize the potential danger of metadata when it is accumulated. The restriction of government information is a whole other issue though. I am just pointing out hypocrisy.
On the post: How Bin Laden Emailed Without Internet: Sneakernet-To-The-Home
Re:
On the post: How Bin Laden Emailed Without Internet: Sneakernet-To-The-Home
Re: Re: treasure trove?
I would expect the U.S. to "leak" some more "critical details" within the next two weeks. This should be true, whether or not they really have access to a load of unencrypted emails, as they just need to convince Al Qaeda that this is true.
On the post: How Bin Laden Emailed Without Internet: Sneakernet-To-The-Home
Re: Re: Re: treasure trove?
On the post: Could BitTorrent Be The Distributed Social Network People Have Been Clamoring For?
Why P2P?
On the post: How Bin Laden Emailed Without Internet: Sneakernet-To-The-Home
treasure trove?
On the post: Judge Allows US Copyright Group To Shakedown 23,322 IP Addresses For Downloading The Expendables
Re:
On the post: Judge Allows US Copyright Group To Shakedown 23,322 IP Addresses For Downloading The Expendables
Re: Re: Re: Stop using the term downloading for uploading
The investigators find these IP addresses by using BitTorrent to download the movie (file) in question.
On the post: BMI Says A Single Person Listening To His Own Music Via The Cloud Is A Public Performance
Re: Re: Re: Re: Re: The following two cases ....
On the post: W3C Steps Up: Wants To Create A Decentralized, Distributed Web System
Re: imagine
On the post: iFixit & Wired Teardown Of FBI Tracking Device Found On Activist's Car
Re: What I Dont Understand ...
On the post: iFixit & Wired Teardown Of FBI Tracking Device Found On Activist's Car
Re: What I Dont Understand ...
On the post: Copyright Maximalists Come Out Against New TLDs Because It Creates 'More Space' For Infringement
Re: Re: Re: Re:
The generic TLDs have no fixed category, and that emphasizes my point. Trademark law cannot guarantee a company has exclusive right to any particular name. Because of that, I am not going to search for something assuming that .microsoft pertains to the company Bill Gates co-founded, and nobody else should either.
On the post: Copyright Maximalists Come Out Against New TLDs Because It Creates 'More Space' For Infringement
Re: Re: Re: Re: Missing something?
That first kind of nefarious activity is fraud and is covered under other laws so using trademark law is not necessary. For websites, like banks, that really need to be secure, there are technical solutions; use of HTTPS along with digital certificates and use of graphical site identifiers before supplying a password. This is really a more serious crime than just trademark infringement, so why use trademark infringement laws to fight it? Otherwise, you can be reduced to arguing over trivialities about how little a difference there can be in spelling a word before it represents trademark infringement. This is what I meant by saying relying on trademark law is a bad solution.
I am not arguing that trademark law should be abolished. However, it does have a particular problem on the internet. Trademark law allows two, or more, instances of the same name if the products or services are not in the same category, or categories, as specified during registration. On the internet, you don't necessarily know until you arrive at the website what that URL represents. So who has priority on a domain name? Trademark law is not a sufficient solution to solve this problem. In this context, arguing over spelling differences seems especially trivial. Add in the amount of time wasted over things like Godzilla versus bagzilla (Sears) and Godzilla versus Davezilla (who didn't even sell anything) and the whole issue starts to become absurd.
I would argue that adding specific TLD like .travel have the potential to help clear up trademark fights over the same word being used for different things. You can separate them with more TLD categories. I do have reservations about this apart from trademark issues. On the other hand, gTLDs will not help, because a generic TLD is not stuck in any sort of category. The trademark argument again either sort of expansion is that these companies will have to repeat their fights for each new TLD. This doesn't make sense because the law cannot resolve all conflicts anyway and users simply don't search using top level domains explicitly. They generally rely on .com or whatever Google returns for a keyword search. Adding more TLDs won't make any difference.
On the post: iFixit & Wired Teardown Of FBI Tracking Device Found On Activist's Car
-The woman who was being tracked by the FBI refused to give the device back when they asked and they just let it go.
-An elderly Arab (US citizen) gentleman had a GPS tracking device installed by his local police department in San Rafael, California. This was in June, 2009 before the 9th circuit decision gave law enforcement clearance to do such tracking without a warrant. The guy had no criminal record, and still doesn't.
(funny coincidence: San Rafael was where science fiction author P. K. Dick lived when his house was broken into and his files stolen back in 1971.)
On the post: iFixit & Wired Teardown Of FBI Tracking Device Found On Activist's Car
Re:
for example, this one is available to anybody (I'm not plugging this):
http://www.brickhousesecurity.com/realtime-gpstracking-device.html
On the post: Copyright Maximalists Come Out Against New TLDs Because It Creates 'More Space' For Infringement
Re: Re: Missing something?
Next >>