Nicholas Weaver's Favorite Techdirt Posts Of The Week
from the crazy-paranoid dept
OK, so who is this crazy paranoid ivory tower dweller who said "Yo" when asked if he'd do the "Favorite Posts of the Week," and who is prefacing this with the standard academic disclaimer of "all opinions are my own, not those of my employers or funders"?
I'm a researcher at both the International Computer Science Institute in Berkeley and UC San Diego. My work has included high speed worms, detecting ISP manipulations of network traffic and the business model of Viagra spammers. I've also ranted on how the NSA weaponized the Internet backbone, and if you want to test your network connection, I'm also one of the developers of Netalyr, which now is available as an Android app. Please help us understand how the Internet really works: download and run Netalyzr today!
I'll start not with the NSA but with the latest in the Prenda saga. Ah, Prenda. You've been partially responsible for my spending too much of my beer money on PACER. My liver thanks you, but my wallet loathes you. Thus it's with utmost delight that I read how the Prenda principles of Paul, Paul, and John have drawn the wrath of the Nazgul, err, no wait, a group that should scare them more: Comcast's and AT&Ts lawyers. Comcast's legal counsel let loose with a full broadside, detailing all the ways that the firm of Prenda vexatiously litigated the case, while AT&T basically went with "yeah, what he said" (probably saving Prenda a good $5K in the process). I suspect that the final bill (or at least the supersedeas bond) will be epic.
More important, albeit less popcorn worthy, was Google's total victory over the Author's Guild. I'm hardly Google's biggest fan (I prefer companies who treat me as a customer, not a SKU), but Google Books represents an unquestioned good for scholars, users, and even authors. Unstated but equally important, the lack of a license implies that others can do the same, preventing Google from gaining a monopoly through an exclusive agreement.
But I can't stay away from the spook show. Two particular stories came to mind. The first is GCHQ's tepid response to their hacking. Some backstory is necessary. What the GCHQ did was:
- Identify a set of technicians at Belgacom
- Identify their Slashdot and/or LinkedIn Accounts
- Instruct their wiretaps to look for users logged into those accounts
- Instruct their weaponized-wiretaps to attack these victims
- Use the control of the victim's computer to execute wiretaps within Belgacom, a telecommunications firm belonging to a NATO ally
So of course they don't want to comment about it. Although we shouldn't focus on Slashdot or LinkedIn, any site where the unencrypted page can identify the logged in user could have been used. It's just they were targeting the network geeks. I'm utterly certain that GCHQ will casually accept the same explanation if (or if I was running the DGSE, when) France decides to follow the GCHQ playbook in targeting British Telecom. What's French for "Sauce for the goose?"
The second concerns my own Senator and her campaign contributions, but not for the expected reason. I'm actually shocked at the small difference and small values. I don't find it corrupt, but rather even more disturbing, the paltry sums makes me think that Feinstein actually believes what she's saying. So why doesn't she release all her phone records? After all, it's "just metadata".
Switching gears from the invasive but competent to the invasive and incompetent, this literary quote encapsulates what the TSA's real criteria involved in their behavioral profiling:
"Uncooperative. Too cooperative. Talks to much. Talks to little. Gets his story perfectly straight. Fucks his story up. Blinks too much, avoids eye contact. Doesn't blink, stares." -David Simon. _Homicide: A Year on the Killing Streets_.
When one actually articulates the sort of criteria needed to do a 'behavioral profile' in just the "what is your name, where are you flying to, what is your favorite color" question asked by the typical TSA agent, it quickly becomes obvious that it can't work. About the best it could elicit is a "uh, can't you read?", further clogging the system by equating hostility towards the Theatrical Security Administration's pointless procedures as yet another "behavioral indicator." It's not like it's possible to hijack a plane these days: even with weapons the question is not whether a hijacking team succeeds or fails but rather whether the hijackers survives the ass-kicking that will be delivered by the passengers. It shocks me that both the shoe bomber and the underwear bomber survived.
To conclude on a lighter note, let's shift to the sock puppet/catfishing (sockfishing? fishpuppets? sockcatting?) accusations against Ashley Madison. What I find surprising is that they allegedly did it manually. This should be a high technology operation: a stock photo account and a bit of automatic text generation and voila, "profiles," that for some reason never respond yet make the site seem populated with MILFs on the prowl.
Hey Ashley Madison: you run a sleazy site, you have an affiliate program which encourages a particular spammer to clog my inbox, and I really, really don't like you as a result, but here's my offer anyway: hire me. My obscenely high consulting rate for setting up an automatic profile generator would, in the end, still be a lot cheaper than defending against a garbage nuisance suit from an ex-employee.
Not an overreaction...
Pressure cookers ARE bombs by design: as pressure bombs go (aka pipe bombs), pressure cookers are up there, with way more punch than an ordinary pipe bomb but slightly less punch than a fire extinguisher.
Not only that, but you can easily build a pressure cooker bomb that doesn't have an external igniter but a timer in the bomb itself, so it doesn't look any different from a pressure cooker. In fact, for a timer-based bomb, its easier to do that way.
So this was far more reasonable than the typical "its a mystery box, call the bomb squad" reaction, but what I would want the capital police to do in this situation./div>
I'm so glad to be called uninformed...
Considering that, just yesterday, I spend my morning writing a non-technical explainer on the latest UXO from the first crypto war that just blew up in our faces.../div>
Ulbricht's lawyer is an idiot...
The theory being that such a declaration would constrain Ulbricht's legal strategy.. If Ulbricht did provide such a declaration, only if he testified that the server wasn't his would the prosecution be able to say "uh, you said this server was yours".
But, idiot laywer forgot that the bell has already been rung: Ulbricht submitted a similar declaration (under effectively the same terms), in the civil forfeiture over the 180k odd bitcoins siezed from his laptop. If Ulbricht is so foolish as to get on the stand, the prosecution will go "So, how did you get those millions of dollars worth of Bitcoins on your computer"?
If Ulbrich replies with anything other than "Uh, you got me", the prosecution then has a rebuttal expert show how those Bitcoins were derived from Silk Road, by tracing all the 100s of law enfocement and other test purchases and showing how the premium flowed into DPR's booty-chest.
Overall, it feels like Ulbricht's lawyer has a bad hand, but is grandstanding to the tech press and crowd who wants to see Ulbricht as some sort of hero, with talk of general warrants and suchlike. But the only realistic hope Ulbricht had was to suppress the evidence collected from the Silk Road server: as long as the server stands (and it now does), the good ship Revenge is well and truly sunk.
If Ulbricht's lawyer is wise, he'll get his client to plead out with something that will see Ulbricht released in 10 years, because the feds are throwing the book at him with mandatory minimums, and haven't even started yet with the murder-for-hire charges./div>
(untitled comment)
But the big 4th amendment issue is the real deal: A "miracle" is not a justification for a warrant, yet the FBI's discovery of the silk road server is just that, a miracle. EVERYTHING the FBI has depends on that initial server discovery. That even now they have not said how to the defense is a big deal, and should worry everyone.
I want to see DPR convicted, but unless the FBI found those servers legitimately, in order to protect the liberties of the rest of us, having DPR go free is acceptable to me./div>
Re: Re:
(untitled comment)
Hyundai/Kia paid an ungodly sum to be the official car sponsor of the World Cup, for use in advertising world wide. Hyundai was not going to want Mercedes gaining a free ride of world cup association because one of their drivers just happened to be German.
If FIFA had said "yes", complete with that big Mercedes logo in front of the helmet design, any "benefit" from free advertising would have been lost as now every FIFA sponsor knows that their exclusivity can be diluted at a whim./div>
First link is high on the bogosity factor...
1: Corn syrup, while the UK version just had more sugar. Both are equally damaging.
2: Corn starch, in red, was also in the UK version
3: The colorant, in red, was probably just the unspecified "color" in the UK version
4: The fats were just all classed as "fatty acids" in the UK version.
5: The artifical flavor, in red, was probbaly just the uspecified flavor in the UK version./div>
Ohh, icloud boyz-and-girlz...
As a consequence, the right discovery requests could possibly get the edit history of the "Eat a bowl..." list, not just the current state.
I hope the plaintiff's lawyer is reading this.../div>
Re: Ghostery
Of course, the problem is that ends up being potentially disruptive, as now the AddThis widget doesn't display at all./div>
Re: what is a confidential source?
Kyllo v. United States
They are using these things without getting a warrant, yet its very very clear that Kyllo would have these things get a warrant:
(In this case, the search was an IR camera pointed at the home, and used to obtain a warrant looking for a grow room).
Even the dissent in Kyllo was predicated on the observation that "this device didn't penetrate the home, so its OK", which is certainly not the case with a Stingray, which searches within hundreds of homes to find a targeted phone.
I think they are (rightly) afraid that if warrantless use of Stingrays ever saw the inside of a courtroom, the resulting derived evidence would be thrown out by an angry judiciary./div>
They aren't investigating because they cooperate..
Re: Re: Securedrop is pointless theater...
Tor by default glows in Netflow, since the public relays are known, which everyone keeps, let alone any real IDS which goes "hey, these certificates don't validate, oh, and are odd in the CN/SN structure".
This is why it was so easy to track down the Harvard hoaxer: "Look in Netflow for contacts to the Tor relays. Thats his IP. Look at the access logs to find out who it is. Oh, its this one person, go knock on his door Mr FBI".
Alternate plug-in transports to bridge nodes prevents this, but your Tor Browser Bundle can't use those by default, since if it could, they'd no longer be good at hiding "this person is using Tor".
It comes down to this unfortunate fact: A source which knows how to use Tor without being identified as a Tor user (using Tails on a public WiFi hotspot, ideally divorced from normal habits/movements) already has enough OPSEC skills that they don't need Tor, but can instead use burner phones and the US mail.
Yet how many sources email the Guardian, the New York Times, the Washington Post, etc and not realize that the mail servers are outsourced, and a subpoena or a search warrant away from every local cop or fed (or Google or Microsoft for that matter)?/div>
Re: Re: Securedrop is pointless theater...
a: The UK government would need to ask for an MLAT. Which is a pain-in-the-ass.
b: The 3rd party doctrine and the stored communications act and all that crud would not apply. This is first party data now.
c: The Guardian's lawyer is right there to fight it.
d (and the most important one): The Guardian would know.
Just the fact that the knowledge that the newspaper would know when its email was searched greatly prevents Rosen style-incidents, since guess what happens if a search is attempted? It becomes front page news. And those executing the warrants know it becomes front page news, adding in a pretty big check right there.
So yes, putting your press institution's mail server in your office in the US under your laywer's desk does actually provide a substantial amount of protection for a press institution./div>
Securedrop is pointless theater...
Rather, if the Guardian was actually serious about doing something meaningful, they would run their own mail servers and put them in their US office under their laywer's desk.
Because, since it is outsourced to gmail, they admit they can't trust their email at all to be private, but do potential sources know that?/div>
It really mystifies me too...
And otherwise, the NSA has proven to be as agressive (if not moreso) then the Chinese. After all, the NSA doesn't bother spearphishing once they started weaponizing the Internet backbone...
So how are any high-up officials in the intelligence community ever going to visit, say, Brazil, which now knows that Petrobras was hacked by the NSA to gain information to the US's advantage? Or any DEA official in the Bahamas, now that its been revealed that the NSA, with DEA help, executed full-take of all cellphone calls?
I think the reason for it is willful ignorance. The one group most ignorant of the NSA's activities is the US government itself: Because all the snowden slides are still classified, and reports often include the slides themselves, they are like a bunch of kids going "nah nah nah we aren't listening".
Thus as a result they make stupid decisions, like starting a "arrest for hacking" legal war with the rest of the world, and are going to be facing a world of grief once everyone else goes 'hey, if the US does it to NATO allies, we can do it to them..."/div>
See page 83 and 84...
Ha, arms dealing...
A link to the complaint here: http://media.nbcbayarea.com/documents/complaint_affidavit_14-70421-nc.pdf
Thus the gun charge is particularly amusing, basically its setting up a deal (in return for a campaign contribution) with a gun importer.
[1] Namely, in CA, "Assault weapon" is defined as a rifle with "removable magazine + 1 scary looking feature (pistol grip, flash suppressor, adjustable stock, etc)".
So someone came up with the "Bullet button": a magazine release that requires a tool, so its no longer removable, and a legal limit of 10 round magazines.
Now these are great: The gun-types can have their ARs with all the features they think are so cool, they are great home defense guns (far better than a pistol or a shotgun: 5.56 breaks apart much easier in walls and is much more accurate), yet they, well, can't be quickly reloaded!
So its perfect: The tacticool guys get their tacticool shit, people who want a home defense gun get 10 easy to hit with, break-apart-in-walls shots, but the crazy-wakko-spree-killers are SOL. And the gangbangers always used pistols: its hard to stick an AR down your pants.
Yet Senator Yee viewed this as a "loophole" and has been fighting it for years. He and a couple of colleagues got a sweeping "assault weapon" ban passed that would reclassify effectively EVERY rifle as an "assault weapon"! (It was so bad that Governor Brown actually vetoed it!)./div>
Re:
a: Company that routinely sends such mail
b: Matches semantically with such mail
c: Would be something they'd want to view
would NOT click on the link? I think the blame the user mantra here is ridiculous. Such links should be untrusted (no plugins, no scripts), or disabled completely, but to expect users to not click on a link in email destroys the whole notion of sending links in email./div>
Please correct, this is likely NOT the NSA...
Two very important points:
The initial attack was phishing based. The NSA doesn't need to phish, instead they just use direct packet injection instead.
The malcode appears to be a MiniDuke variant.
We don't know who is operating MiniDuke (namely, is it the Russians or is it the Chinese?), but the targeting history suggests that it is not the US/UK, as a significant number of the targets of MiniDuke have been US/UK computers (Think tanks, research institutions), while NSA/GCHQ is largely outward facing.
Thus the headline is WRONG: Quisquater was probably attacked by a nation-state level adversary, but that adversary is probably NOT the NSA/GCHQ./div>
More comments from Nicholas Weaver >>
Techdirt has not posted any stories submitted by Nicholas Weaver.
Submit a story now.
Tools & Services
TwitterFacebook
RSS
Podcast
Research & Reports
Company
About UsAdvertising Policies
Privacy
Contact
Help & FeedbackMedia Kit
Sponsor/Advertise
Submit a Story
More
Copia InstituteInsider Shop
Support Techdirt