This is not the typical "oh its a suspicious package" overreaction. This was a parked car, on the capital mall, with a pressure cooker in view.
Pressure cookers ARE bombs by design: as pressure bombs go (aka pipe bombs), pressure cookers are up there, with way more punch than an ordinary pipe bomb but slightly less punch than a fire extinguisher.
Not only that, but you can easily build a pressure cooker bomb that doesn't have an external igniter but a timer in the bomb itself, so it doesn't look any different from a pressure cooker. In fact, for a timer-based bomb, its easier to do that way.
So this was far more reasonable than the typical "its a mystery box, call the bomb squad" reaction, but what I would want the capital police to do in this situation.
I'm so glad to be part of this "uninformed or not fair minded" group.
Considering that, just yesterday, I spend my morning writing a non-technical explainer on the latest UXO from the first crypto war that just blew up in our faces...
Ulbricht and his lawyer were given multiple chances to have Ulbricht declare a 4th Amendment interest in the server, including a specific offering from the judge where the lawyer responded "we will rest on our papers", despite this being a very well settled case law.
The theory being that such a declaration would constrain Ulbricht's legal strategy.. If Ulbricht did provide such a declaration, only if he testified that the server wasn't his would the prosecution be able to say "uh, you said this server was yours".
But, idiot laywer forgot that the bell has already been rung: Ulbricht submitted a similar declaration (under effectively the same terms), in the civil forfeiture over the 180k odd bitcoins siezed from his laptop. If Ulbricht is so foolish as to get on the stand, the prosecution will go "So, how did you get those millions of dollars worth of Bitcoins on your computer"?
If Ulbrich replies with anything other than "Uh, you got me", the prosecution then has a rebuttal expert show how those Bitcoins were derived from Silk Road, by tracing all the 100s of law enfocement and other test purchases and showing how the premium flowed into DPR's booty-chest.
Overall, it feels like Ulbricht's lawyer has a bad hand, but is grandstanding to the tech press and crowd who wants to see Ulbricht as some sort of hero, with talk of general warrants and suchlike. But the only realistic hope Ulbricht had was to suppress the evidence collected from the Silk Road server: as long as the server stands (and it now does), the good ship Revenge is well and truly sunk.
If Ulbricht's lawyer is wise, he'll get his client to plead out with something that will see Ulbricht released in 10 years, because the feds are throwing the book at him with mandatory minimums, and haven't even started yet with the murder-for-hire charges.
The "throw everything at the wall and see if it sticks" part is doomed to fail, but apparently the standard MO for a good attorney.
But the big 4th amendment issue is the real deal: A "miracle" is not a justification for a warrant, yet the FBI's discovery of the silk road server is just that, a miracle. EVERYTHING the FBI has depends on that initial server discovery. That even now they have not said how to the defense is a big deal, and should worry everyone.
I want to see DPR convicted, but unless the FBI found those servers legitimately, in order to protect the liberties of the rest of us, having DPR go free is acceptable to me.
The World Cup doesn't need "free advertising" after the event is over, its absolutely irrelevant. More importantly, it actually would have cost FIFA a lot to say yes.
Hyundai/Kia paid an ungodly sum to be the official car sponsor of the World Cup, for use in advertising world wide. Hyundai was not going to want Mercedes gaining a free ride of world cup association because one of their drivers just happened to be German.
If FIFA had said "yes", complete with that big Mercedes logo in front of the helmet design, any "benefit" from free advertising would have been lost as now every FIFA sponsor knows that their exclusivity can be diluted at a whim.
Its "notes" on a iPhone. This can easily be set up to sync (and it complains when it doesn't) through iCloud, plus you get multiple backups through iTunes.
As a consequence, the right discovery requests could possibly get the edit history of the "Eat a bowl..." list, not just the current state.
I think they are afraid of Kyllo v. United States.
They are using these things without getting a warrant, yet its very very clear that Kyllo would have these things get a warrant:
Where, as here, the Government uses a device that is not in general public use, to explore details of the home that would previously have been unknowable without physical intrusion, the surveillance is a 'search' and is presumptively unreasonable without a warrant."
(In this case, the search was an IR camera pointed at the home, and used to obtain a warrant looking for a grow room).
Even the dissent in Kyllo was predicated on the observation that "this device didn't penetrate the home, so its OK", which is certainly not the case with a Stingray, which searches within hundreds of homes to find a targeted phone.
I think they are (rightly) afraid that if warrantless use of Stingrays ever saw the inside of a courtroom, the resulting derived evidence would be thrown out by an angry judiciary.
They aren't investigating because they cooperate..
The German government is a user of the NSA X-KEYSORE (the main Internet wiretap) software as well. They outright participate in the bulk monitoring of their citizens. The Stazi would be proud.
No, I'm being realistic, as an expert in the field. Tor is really good at keeping an adversary from saying "what are you doing over Tor", but it positively stinks at saying "is this person using Tor".
Tor by default glows in Netflow, since the public relays are known, which everyone keeps, let alone any real IDS which goes "hey, these certificates don't validate, oh, and are odd in the CN/SN structure".
This is why it was so easy to track down the Harvard hoaxer: "Look in Netflow for contacts to the Tor relays. Thats his IP. Look at the access logs to find out who it is. Oh, its this one person, go knock on his door Mr FBI".
Alternate plug-in transports to bridge nodes prevents this, but your Tor Browser Bundle can't use those by default, since if it could, they'd no longer be good at hiding "this person is using Tor".
It comes down to this unfortunate fact: A source which knows how to use Tor without being identified as a Tor user (using Tails on a public WiFi hotspot, ideally divorced from normal habits/movements) already has enough OPSEC skills that they don't need Tor, but can instead use burner phones and the US mail.
Yet how many sources email the Guardian, the New York Times, the Washington Post, etc and not realize that the mail servers are outsourced, and a subpoena or a search warrant away from every local cop or fed (or Google or Microsoft for that matter)?
a: The UK government would need to ask for an MLAT. Which is a pain-in-the-ass.
b: The 3rd party doctrine and the stored communications act and all that crud would not apply. This is first party data now.
c: The Guardian's lawyer is right there to fight it.
d (and the most important one): The Guardian would know.
Just the fact that the knowledge that the newspaper would know when its email was searched greatly prevents Rosen style-incidents, since guess what happens if a search is attempted? It becomes front page news. And those executing the warrants know it becomes front page news, adding in a pretty big check right there.
So yes, putting your press institution's mail server in your office in the US under your laywer's desk does actually provide a substantial amount of protection for a press institution.
SecureDrop is pointless security theater: any source capable of actually using securedrop without a Harvard OPSEC Fail doesn't need to use SecureDrop.
Rather, if the Guardian was actually serious about doing something meaningful, they would run their own mail servers and put them in their US office under their laywer's desk.
Because, since it is outsourced to gmail, they admit they can't trust their email at all to be private, but do potential sources know that?
The US keeps making a distinction between economic espionage (where the data is stolen from a company and given to another company) and "national interest" (where the data is stolen from a company and given to US trade negotiators instead). Its one that they believe in, but the rest of the world doesn't.
And otherwise, the NSA has proven to be as agressive (if not moreso) then the Chinese. After all, the NSA doesn't bother spearphishing once they started weaponizing the Internet backbone...
So how are any high-up officials in the intelligence community ever going to visit, say, Brazil, which now knows that Petrobras was hacked by the NSA to gain information to the US's advantage? Or any DEA official in the Bahamas, now that its been revealed that the NSA, with DEA help, executed full-take of all cellphone calls?
I think the reason for it is willful ignorance. The one group most ignorant of the NSA's activities is the US government itself: Because all the snowden slides are still classified, and reports often include the slides themselves, they are like a bunch of kids going "nah nah nah we aren't listening".
Thus as a result they make stupid decisions, like starting a "arrest for hacking" legal war with the rest of the world, and are going to be facing a world of grief once everyone else goes 'hey, if the US does it to NATO allies, we can do it to them..."
Leland Yee is also a notorious anti-gun legislator, to the point of ridiculousness. His biggest focus was on the "bullet button", which is actually something gun control people SHOULD actually embrace. [1]
Thus the gun charge is particularly amusing, basically its setting up a deal (in return for a campaign contribution) with a gun importer.
[1] Namely, in CA, "Assault weapon" is defined as a rifle with "removable magazine + 1 scary looking feature (pistol grip, flash suppressor, adjustable stock, etc)".
So someone came up with the "Bullet button": a magazine release that requires a tool, so its no longer removable, and a legal limit of 10 round magazines.
Now these are great: The gun-types can have their ARs with all the features they think are so cool, they are great home defense guns (far better than a pistol or a shotgun: 5.56 breaks apart much easier in walls and is much more accurate), yet they, well, can't be quickly reloaded!
So its perfect: The tacticool guys get their tacticool shit, people who want a home defense gun get 10 easy to hit with, break-apart-in-walls shots, but the crazy-wakko-spree-killers are SOL. And the gangbangers always used pistols: its hard to stick an AR down your pants.
Yet Senator Yee viewed this as a "loophole" and has been fighting it for years. He and a couple of colleagues got a sweeping "assault weapon" ban passed that would reclassify effectively EVERY rifle as an "assault weapon"! (It was so bad that Governor Brown actually vetoed it!).
I'd ask the opposite: What kind of person, who sees mail with a link from
a: Company that routinely sends such mail
b: Matches semantically with such mail
c: Would be something they'd want to view
would NOT click on the link? I think the blame the user mantra here is ridiculous. Such links should be untrusted (no plugins, no scripts), or disabled completely, but to expect users to not click on a link in email destroys the whole notion of sending links in email.
The initial attack was phishing based. The NSA doesn't need to phish, instead they just use direct packet injection instead.
The malcode appears to be a MiniDuke variant.
We don't know who is operating MiniDuke (namely, is it the Russians or is it the Chinese?), but the targeting history suggests that it is not the US/UK, as a significant number of the targets of MiniDuke have been US/UK computers (Think tanks, research institutions), while NSA/GCHQ is largely outward facing.
Thus the headline is WRONG: Quisquater was probably attacked by a nation-state level adversary, but that adversary is probably NOT the NSA/GCHQ.
On the post: An Innocent Pressure Cooker Pays The Price In The War On Terror
Not an overreaction...
Pressure cookers ARE bombs by design: as pressure bombs go (aka pipe bombs), pressure cookers are up there, with way more punch than an ordinary pipe bomb but slightly less punch than a fire extinguisher.
Not only that, but you can easily build a pressure cooker bomb that doesn't have an external igniter but a timer in the bomb itself, so it doesn't look any different from a pressure cooker. In fact, for a timer-based bomb, its easier to do that way.
So this was far more reasonable than the typical "its a mystery box, call the bomb squad" reaction, but what I would want the capital police to do in this situation.
On the post: FBI Director Claims That The World's Most Knowledgeable Cybersecurity Experts Are Not 'Fair Minded' About Encryption Backdoors
I'm so glad to be called uninformed...
Considering that, just yesterday, I spend my morning writing a non-technical explainer on the latest UXO from the first crypto war that just blew up in our faces...
On the post: Silk Road Judge Won't Examine FBI's Warrantless Server Hacking; Dismisses Suppression Motion On 'Privacy Interest' Technicality
Ulbricht's lawyer is an idiot...
The theory being that such a declaration would constrain Ulbricht's legal strategy.. If Ulbricht did provide such a declaration, only if he testified that the server wasn't his would the prosecution be able to say "uh, you said this server was yours".
But, idiot laywer forgot that the bell has already been rung: Ulbricht submitted a similar declaration (under effectively the same terms), in the civil forfeiture over the 180k odd bitcoins siezed from his laptop. If Ulbricht is so foolish as to get on the stand, the prosecution will go "So, how did you get those millions of dollars worth of Bitcoins on your computer"?
If Ulbrich replies with anything other than "Uh, you got me", the prosecution then has a rebuttal expert show how those Bitcoins were derived from Silk Road, by tracing all the 100s of law enfocement and other test purchases and showing how the premium flowed into DPR's booty-chest.
Overall, it feels like Ulbricht's lawyer has a bad hand, but is grandstanding to the tech press and crowd who wants to see Ulbricht as some sort of hero, with talk of general warrants and suchlike. But the only realistic hope Ulbricht had was to suppress the evidence collected from the Silk Road server: as long as the server stands (and it now does), the good ship Revenge is well and truly sunk.
If Ulbricht's lawyer is wise, he'll get his client to plead out with something that will see Ulbricht released in 10 years, because the feds are throwing the book at him with mandatory minimums, and haven't even started yet with the murder-for-hire charges.
On the post: Ross Ulbricht Pulls Out A 4th Amendment Defense For Pretty Much Everything
But the big 4th amendment issue is the real deal: A "miracle" is not a justification for a warrant, yet the FBI's discovery of the silk road server is just that, a miracle. EVERYTHING the FBI has depends on that initial server discovery. That even now they have not said how to the defense is a big deal, and should worry everyone.
I want to see DPR convicted, but unless the FBI found those servers legitimately, in order to protect the liberties of the rest of us, having DPR go free is acceptable to me.
On the post: FIFA Pisses Away Free Advertising By Banning F1 Racer's Tribute Helmet To Germany's Futbol Team
Re: Re:
On the post: FIFA Pisses Away Free Advertising By Banning F1 Racer's Tribute Helmet To Germany's Futbol Team
Hyundai/Kia paid an ungodly sum to be the official car sponsor of the World Cup, for use in advertising world wide. Hyundai was not going to want Mercedes gaining a free ride of world cup association because one of their drivers just happened to be German.
If FIFA had said "yes", complete with that big Mercedes logo in front of the helmet design, any "benefit" from free advertising would have been lost as now every FIFA sponsor knows that their exclusivity can be diluted at a whim.
On the post: DailyDirt: What's That In Your Food?
First link is high on the bogosity factor...
1: Corn syrup, while the UK version just had more sugar. Both are equally damaging.
2: Corn starch, in red, was also in the UK version
3: The colorant, in red, was probably just the unspecified "color" in the UK version
4: The fats were just all classed as "fatty acids" in the UK version.
5: The artifical flavor, in red, was probbaly just the uspecified flavor in the UK version.
On the post: Cop's Wrong Firing Lawsuit Leads To Public Release Of Vulgarly-Titled 'Enemies' List
Ohh, icloud boyz-and-girlz...
As a consequence, the right discovery requests could possibly get the edit history of the "Eat a bowl..." list, not just the current state.
I hope the plaintiff's lawyer is reading this...
On the post: Tons Of Sites, Including WhiteHouse.gov, In Unwitting AddThis Experiment With Tracking Technology That Is Difficult To Block
Re: Ghostery
Of course, the problem is that ends up being potentially disruptive, as now the AddThis widget doesn't display at all.
On the post: New Emails Show That Feds Instructed Police To Lie About Using Stingray Mobile Phone Snooping
Re: what is a confidential source?
On the post: New Emails Show That Feds Instructed Police To Lie About Using Stingray Mobile Phone Snooping
Kyllo v. United States
They are using these things without getting a warrant, yet its very very clear that Kyllo would have these things get a warrant:
(In this case, the search was an IR camera pointed at the home, and used to obtain a warrant looking for a grow room).
Even the dissent in Kyllo was predicated on the observation that "this device didn't penetrate the home, so its OK", which is certainly not the case with a Stingray, which searches within hundreds of homes to find a targeted phone.
I think they are (rightly) afraid that if warrantless use of Stingrays ever saw the inside of a courtroom, the resulting derived evidence would be thrown out by an angry judiciary.
On the post: Germany To Begin Formal Investigation Into NSA Surveillance -- But Only Of Angela Merkel
They aren't investigating because they cooperate..
On the post: Guardian Installed SecureDrop Outside The UK, Due To Legal Threats
Re: Re: Securedrop is pointless theater...
Tor by default glows in Netflow, since the public relays are known, which everyone keeps, let alone any real IDS which goes "hey, these certificates don't validate, oh, and are odd in the CN/SN structure".
This is why it was so easy to track down the Harvard hoaxer: "Look in Netflow for contacts to the Tor relays. Thats his IP. Look at the access logs to find out who it is. Oh, its this one person, go knock on his door Mr FBI".
Alternate plug-in transports to bridge nodes prevents this, but your Tor Browser Bundle can't use those by default, since if it could, they'd no longer be good at hiding "this person is using Tor".
It comes down to this unfortunate fact: A source which knows how to use Tor without being identified as a Tor user (using Tails on a public WiFi hotspot, ideally divorced from normal habits/movements) already has enough OPSEC skills that they don't need Tor, but can instead use burner phones and the US mail.
Yet how many sources email the Guardian, the New York Times, the Washington Post, etc and not realize that the mail servers are outsourced, and a subpoena or a search warrant away from every local cop or fed (or Google or Microsoft for that matter)?
On the post: Guardian Installed SecureDrop Outside The UK, Due To Legal Threats
Re: Re: Securedrop is pointless theater...
a: The UK government would need to ask for an MLAT. Which is a pain-in-the-ass.
b: The 3rd party doctrine and the stored communications act and all that crud would not apply. This is first party data now.
c: The Guardian's lawyer is right there to fight it.
d (and the most important one): The Guardian would know.
Just the fact that the knowledge that the newspaper would know when its email was searched greatly prevents Rosen style-incidents, since guess what happens if a search is attempted? It becomes front page news. And those executing the warrants know it becomes front page news, adding in a pretty big check right there.
So yes, putting your press institution's mail server in your office in the US under your laywer's desk does actually provide a substantial amount of protection for a press institution.
On the post: Guardian Installed SecureDrop Outside The UK, Due To Legal Threats
Securedrop is pointless theater...
Rather, if the Guardian was actually serious about doing something meaningful, they would run their own mail servers and put them in their US office under their laywer's desk.
Because, since it is outsourced to gmail, they admit they can't trust their email at all to be private, but do potential sources know that?
On the post: DOJ's Tone Deaf Criminal Charges Against Chinese Hackers Helps No One, Opens US Officials Up To Similar Charges
It really mystifies me too...
And otherwise, the NSA has proven to be as agressive (if not moreso) then the Chinese. After all, the NSA doesn't bother spearphishing once they started weaponizing the Internet backbone...
So how are any high-up officials in the intelligence community ever going to visit, say, Brazil, which now knows that Petrobras was hacked by the NSA to gain information to the US's advantage? Or any DEA official in the Bahamas, now that its been revealed that the NSA, with DEA help, executed full-take of all cellphone calls?
I think the reason for it is willful ignorance. The one group most ignorant of the NSA's activities is the US government itself: Because all the snowden slides are still classified, and reports often include the slides themselves, they are like a bunch of kids going "nah nah nah we aren't listening".
Thus as a result they make stupid decisions, like starting a "arrest for hacking" legal war with the rest of the world, and are going to be facing a world of grief once everyone else goes 'hey, if the US does it to NATO allies, we can do it to them..."
On the post: Anti-Game Violence Crusader Leland Yee Arrested On Charges Of Bribery, Corruption And Arms Trafficking
See page 83 and 84...
On the post: Anti-Game Violence Crusader Leland Yee Arrested On Charges Of Bribery, Corruption And Arms Trafficking
Ha, arms dealing...
A link to the complaint here: http://media.nbcbayarea.com/documents/complaint_affidavit_14-70421-nc.pdf
Thus the gun charge is particularly amusing, basically its setting up a deal (in return for a campaign contribution) with a gun importer.
[1] Namely, in CA, "Assault weapon" is defined as a rifle with "removable magazine + 1 scary looking feature (pistol grip, flash suppressor, adjustable stock, etc)".
So someone came up with the "Bullet button": a magazine release that requires a tool, so its no longer removable, and a legal limit of 10 round magazines.
Now these are great: The gun-types can have their ARs with all the features they think are so cool, they are great home defense guns (far better than a pistol or a shotgun: 5.56 breaks apart much easier in walls and is much more accurate), yet they, well, can't be quickly reloaded!
So its perfect: The tacticool guys get their tacticool shit, people who want a home defense gun get 10 easy to hit with, break-apart-in-walls shots, but the crazy-wakko-spree-killers are SOL. And the gangbangers always used pistols: its hard to stick an AR down your pants.
Yet Senator Yee viewed this as a "loophole" and has been fighting it for years. He and a couple of colleagues got a sweeping "assault weapon" ban passed that would reclassify effectively EVERY rifle as an "assault weapon"! (It was so bad that Governor Brown actually vetoed it!).
On the post: Belgian Prosecutor Looking Into Reports That NSA/GCHQ Hacked Well-Known Belgian Cryptographer
Re:
a: Company that routinely sends such mail
b: Matches semantically with such mail
c: Would be something they'd want to view
would NOT click on the link? I think the blame the user mantra here is ridiculous. Such links should be untrusted (no plugins, no scripts), or disabled completely, but to expect users to not click on a link in email destroys the whole notion of sending links in email.
On the post: Belgian Prosecutor Looking Into Reports That NSA/GCHQ Hacked Well-Known Belgian Cryptographer
Please correct, this is likely NOT the NSA...
Two very important points:
The initial attack was phishing based. The NSA doesn't need to phish, instead they just use direct packet injection instead.
The malcode appears to be a MiniDuke variant.
We don't know who is operating MiniDuke (namely, is it the Russians or is it the Chinese?), but the targeting history suggests that it is not the US/UK, as a significant number of the targets of MiniDuke have been US/UK computers (Think tanks, research institutions), while NSA/GCHQ is largely outward facing.
Thus the headline is WRONG: Quisquater was probably attacked by a nation-state level adversary, but that adversary is probably NOT the NSA/GCHQ.
Next >>