If you accept O'Mara's argument that the parents of a bullying child are criminally responsible because they exhibit "willful blindness or gross negligence" in allowing the bullying to occur, then you have to accept the same argument for the victim's parents. The victim's parents also must have been too lax in monitoring their child's online behavior. I doubt O'Mara is willing to hold the victim's parents equally responsible and I wonder how he would argue himself out of that inconsistency.
Law enforcement cooperation between countries may mean you are not necessarily protected although you might be more protected than being subject to U.S. law enforcement (or CIA etc.) activities directly.
Even during the Nixon administration the Pentagon Papers were allowed to be published at the New York Times without prior restraint. There are a lot of countries that don't have that level of press freedom including the UK. The chilling effect from the Obama administration's pursuit of leakers is an important and unfortunate side effect. However, it is indirect, not a direct attack upon press freedom. You may argue that is just quibbling about the details but wait and see what happens in the UK concerning the Guardian.
I think I understand what Cameron means by double standard. The Guardian wrote about and criticized the phone hacking done by other newspapers. The phone hacking illegally invaded the privacy of individuals. Now the Guardian is publishing information acquired illegally by Snowden. There is an equivalency made about an individual's privacy with the government's privacy, its official secrets. There is another argument implied in this that is hard for me, as an American, or any American to see. UK law tends to treat ill-gotten information as ill-gotten no matter how many times removed from the original source. I saw this in the recent censorship case brought against researchers Flavio Garcia et. al. concerning the publication of weaknesses in the Megamos Crypto based vehicle immobilizers. In that case the High Court judge in his preliminary ruling said that because the Megamos Crytpo algorithm that was published by a Bulgarian company on the internet possible might have been acquired illegally then that information was tainted. That meant that the analysis by Garcia et. al. was also tainted and could be kept from being published through prior restraint. If one assumes that the information that Snowden acquired is similarly tainted, then the Gaurdian's act of publishing portions of it is also tainted and possibly illegal. There, now you have a double standard being used by the Guardian. I am not expert in UK law so if anyone with more knowledge can expound on this, please do.
My wife is a middle school teacher so I do have something of a window into the hows and whys of the administrator thought process. School administrators, since they are dealing with actual children, believe they need to stay "on message". The world of rules has to be black and white. If you compromise, how are the kids going to react when they see that? If they do compromise, for whatever reason, then the incident must keep kept as hidden as possible. I think it would make more sense if they taught that the world is rarely black and white, that enforcing rules, and justice in general, is about compromises. However, that takes courage and zero-tolerance is much safer for the administrator. Courage is indeed what it takes in the face of all those potentially irate parents and a school board with the power to end your employment. In this context, perception is indeed reality. Kids do crazy things, embarrassing things, and sometimes even dangerous things all the time so administrators, in fear of their job, are constantly motivated to use the traditional standbys as well as come up with creative new ways to keep them in check. School administrators are supposed to have training as administrators beforehand yet many of them seem to believe their role as administrators is still "In Loco Parentis" without restriction. This is still true despite the decades of court precedents that recognize the constitutional rights of children place restrictions on the power of school administrators. The upshot of all this is that zero-tolerance policies do not make schools or children safer, they make administrators jobs safer.
The ethics of using an ID system that is not completely accurate depends entirely on how it is used. Yeah, 20% for false positives is a maximum and real world usage will likely show better results. If you think the FBI is incapable of intentionally abusing an ID system or making gross mistakes then look at the case of Brandon Mayfield. On the basis of fingerprint identification, and the fact he converted to Islam in the late 1980's, he was arrested in 2004 and held for over two weeks as a material witness. The FBI first claimed his fingerprints were a 100% match with those found on a bag from the Madrid train bombing. It turned out from the information discovered during the lawsuit brought by Mayfield that there were 20 individuals in the US whose fingerprints were SIMILAR to the one found in Spain. The FBI investigate all of them. Because of Mayfield's Islamic beliefs he became the prime suspect despite not having left the US in over 10 years. Furthermore, before his arrest, Spanish authorities said his fingerprints were not a match. The FBI disregarded all this and arrested him anyway.
It doesn't worry me that the FBI is looking to adopt facial recognition and I probably agree with you that this article complains about its accuracy without knowing how it will be used. I am worried about how they will use it. Do not fool yourself into thinking the FBI will not use facial recognition to arrest someone. It may not be the only factor in the arrest but, as with fingerprints, law enforcement tends to be eagerly biased in favor of its usage and tends to disregard what science says about the level of doubt.
There are a lot of inconsistencies in what is known publicly, so far, about the two supposed hits. My suspicion is Ulbricht was acting out a charade in setting these up and had no intention of getting anyone killed. Remember, no one was actually killed. A scenario supposing a charade makes perhaps more sense than actual intended killings. I am not willing to bet on my suspicion just yet but killing people seems contradictory to Ulbricht's stated philosophy.
Law Enforcement would like to convince everyone that because they have the servers all the buyers and dealers can be found and arrested. Remember that a seller can retain anonymity from those running silk road, from buyers, and from other sellers. The weak link is in buying and receiving a package. Look at the arrests and see how defendants are found. An undercover seller can lure buyers from their honeypot. The compromised buyer can be made to purchase from another seller. With enough purchases, the seller can be tracked down. The automated post office can and does track packages and standard 1st class mail. The target address could be put on a hot list. I don't think there will be too many arrests as the window for setting up such busts has closed.
I wonder if Sadler is the FriendlyChemist. Bellevue is fairly close to White Rock, BC.
Re: Re: (Source: more anti-spam experience than anyone else.)?
When you claim more experience without providing your resume and without knowing the experience of others on this site, it definitely comes across as arrogance. I have more than 30 years experience in network protocols, yet I would never say I know more (on any subject) than everyone else who comments on this site. I would even hesitate to say I know more than anyone in particular. I suggest you just argue your case. Can you cite any studies?
I would argue that scanning the contents of an email message can only help in categorizing spam versus non-spam. Just one example is using the text/image ratio which is something the metadata doesn't provide. The text/image ration will not ever, by itself, be a determining factor, but it is additional circumstantial evidence.
You mentioned the hop count in your original message but there is no hop count in SMTP. Are you referring to the "hop count" in the IP header (actually the "time to live" field)? Maybe you mean the number of "mail transfer agents" as each one adds a line to the header. But looping is already handled by the IP protocol and it is routers looking at the loop count who decide when a discard is necessary to control looping. So, what do you mean?
Your analogy is good insofar as it relates to scanning for which the results are under your control. This works for indexing, spam and anti-virus filtering and such. The distinction between whether the user has control of a scans stored results is one the ECPA doesn't take into account and should. When email is scanned for the purposes of targeted advertising you do not have control over the results. Also, it is third parties, the advertisers paying Google for this keyword information and ad placement, who are ultimately using it.
The owner of an account should consent to scans before they are allowed. Whether or not the scanning is optional is not the main point. What is most important is the scanning should be explained to the user so that consent is informed. An important part of the suit is whether Google has properly informed users. They have not informed users in a clear way. This is particularly important if any results of a scan are stored in a way that is outside of user control. A further distinction should be made between statistical scans (e.g. for disease symptoms) for which the results do not identify any particular user and scans for which stored traces are tied to a user (e.g. targeted advertising, copyright infringement, objectionable content).
2)and 5) I agree that an SR vendor selling to another SR vendor was risky. I think that this was obvious to DPR who made an effort to detect law enforcement activity on the site. Vendors that showed an interest in selling large amounts for resale should have been under suspicion. I can't imagine that DPR would knowingly let admins both buy and sell on the site. The following could be an explanation. DPR suspected "the employee" of being dishonest. DPR set him up by directing him to be a direct middleman in the 1KG cocaine buy from the suspect vendor (UC). Employee gets busted and DPR performs a charade where he directs him to be tortured and killed by UC as a way of ferreting out whether UC is really undercover. What dangerous information could the employee have access to since TOR allowed anonymity of both vendors and buyers? Remember it is only a single vendor that gets some real address from a buyer. Also, the employee is in a Maryland jurisdiction (thus the indictment from a Maryland Grand Jury for this murder for hire) and did not access to the server for the website which is in some foreign country. Doesn't it seem odd that all of a sudden DPR is asking a vendor to perform a murder? Isn't it also stretching credibility to expect just pictures to be proof of a murder. Cmon, anyone who has ever seen a movie know that is easily faked. DPR's mistake in acting out this charade was that now he has been indicted for a murder for hire even when no murder ever took place.
"No in the Masnick world, prior restraint and ex parte domain name seizures are only a free speech issue if it impacts upon the infringement of copyrighted works."
In the case discussed in this article there was no domain name seizure. SilkRoad was a TOR hidden service and DNS is not used to access them. It makes no sense to say the domain name was seized. What was seized were the servers that implemented that hidden service.
The Courthouse News Service article about this which is linked to in this article has an image which is the cover to one of the paperback versions of Philip K. Dick's novel "Eye in the Sky". If Isa Dick Hackett were aware of this she would probably complain on behalf of the PK Dick estate or does copyright belong to the artist who created the image? I do believe Courthouse news should at least give attribution for that image.
I don't think you understand what the DOJ is doing in general and more specifically with the CFAA. The federal court system has moved away from using intent as a critical element of a crime. Weev was charged with conspiracy to commit unauthorized access as well as fraud. The unauthorized access charge does not require them to show intent one way or another,just that the access was unauthorized. Thus, the technical explanation of how the access occurred is the core of the argument. The fraud charge does require intent and this is why the DOJ uses pained logic to show that Weev benefited from disclosing the vulnerability. The trouble is that that logic can apply to any, I repeat, any security researcher who discloses a vulnerability. It doesn't matter if the disclosure is full disclosure or responsible disclosure the researcher can be convicted of a crime because at some point they had to confirm the vulnerability by using it.
The crux of responsible disclosure is that the company responsible for the faulty software or hardware is notified of the security vulnerability and given a reasonable amount of time to fix it before the vulnerability is made public. This actually happened in this case. Neither Weev nor Spitler directly notified ATT. However, they did wait until the vulnerability was fixed before Weev gave Ryan Tate of Gawker the list of email/ICC-ID pairings. Weev sent emails to various members of mainstream media whose email addresses were included in their acquired list. For each media person he included only their own email/ICC-ID in the email he sent. He also invited them to interview him about the ATT security breach. In this way he was indirectly notifying ATT of the breach as well as attempting to garner more publicity. Weev and Spitler waited until they could no longer repeat the retrieval of email addresses with their slurper program before contacting Ryan Tate. This meant that ATT had closed the security vulnerability.
The ATT/Apple assignment of ICC-IDs are not sequential. There is a number space of 100 billion to 100 trillion within the overall 20 digit ICC-ID set that is assigned to Apple. At that time there were (I think) roughly 200,000 ICC-IDs assigned in this block. They are assigned somewhat randomly from chosen sub-blocks.
Owners of an iPad 3G must provide an email address, billing address, and a password to complete registration and activate AT&T’s 3G service. When users log-in to the AT&T website for 3G subscribers they must provide that email address and password. AT&T made this process easier by automatically pre-populating the email address on the log-in page. A twenty digit ICC-ID (Integrated Circuit Card Identification) number uniquely identifies the SIM (Subscriber Identity Module) card of any device with cellular network connectivity. The iPad browser’s HTTP request for the log-in page, contained the iPad’s ICC-ID in plain text within the URL. The browser’s “user agent” (a portion of the HTTP header) is one specific to an iPad. When the ATT server received such a request from an apparent iPad it would return the log-in page with the correct email address already supplied as long as the ICC-ID was one that matched a registered user. This feature, that made logging easier, also made it insecure. Note, that the email address is supplied before any authentication is done using a password.
How does one collect email addresses from multiple ICC-IDs? One way is to, sequentially, go through all the potential ICC-IDs and collect the emails received from the relatively few requests that were successful. Of the twenty digits the first two represent the Major Industry Identifier (MII, 89 for telecommunications). The next two are a country code (CC, 01 for the US). The next 1-4 digits are for the issuer, which is Apple in this case. These are not published but every iPad reveals one of them. This leaves 11-14 digits for the account number. The final digit is a check digit for error detection. So, one has to go through, roughly, 100 billion to 100 trillion ICC-IDs to find all the valid ones for Apple iPads. That is a pretty large number. Daniel Spitler wrote a simple PHP script that was colorfully named "the iPad3G Account Slurper", to automate the procedure. The set of valid ICC-IDs are not sequential. After some initial success they were having a problem finding valid ones. They guessed that the iPad 3G used ICC-IDs from different blocks of numbers. The ICC-ID is printed on the SIM, so they guessed these blocks based on Daniel Spitler’s iPad, those of acquaintances, and from public pictures of the iPad 3G shown on Flickr and other photo websites.
An app could have been written for the iPad. Since it would be unlikely such an app would be approved by Apple this would have to done with a jailbroken iPad. Such an app would still need to “spoof” the “user agent” of the browser for the iPad. Another option is to write a script for use on a computer that is not an iPad and, again, utilize a spoofed “user agent”. Whichever approach was taken, the result was that, altogether, approximately 120,000 email address/ICC-ID pairs were collected over a period of several days from June 3, 2010 up to June 8, 2010.
Note that Spitler identified the sub-blocks that Apple used by finding ICC-IDs from pictures of Ipads on Flickr. If the ICC-ID were a password why would people post this number publicly on their Flickr account? Also, the painfully obvious flaw in the DOJ's argument about ICC-IDs being passwords is that a real password was required right after ATT so helpfully filled in the email address in response to a valid ICC-ID.
The critical point that distinguishes access of a computer from unauthorized access is the authorization step. The DOJ is bending over backwards to try to show what they did was unauthorized and so now pretend that an ICC-ID is a password. This ignores the fact that accessing your ATT account for an Ipad 3G requires a real password. ATT automatically filled in the email address whenever a server request was sent to get the page that asked for the password. A violation of the CFAA requires unauthorized access. How can the DOJ claim the the ICC-ID is a password when the very next step in the process of accessing an ATT account requires a real password. Spitler and Weev never accessed anyone's account.
"The Metropolitan Transportation Commission/511 operates a data collection system based on FasTrak toll tags to provide better information about the transportation network to Bay Area travelers, transportation managers, and transportation planners through its 511 Driving TimesSM service. To ensure that FasTrak users remain anonymous, encryption software is used to scramble each FasTrak toll tag ID number before any other processing happens. In addition, the encrypted toll tag ID numbers are retained for no longer than 24 hours and are then discarded. If you do not want your toll tag read for these purposes, place the toll tag in the special Mylar bag provided to you when you are not using it for payment of tolls at a toll plaza. The Mylar bags can be requested from the Customer Service Center. If you would like additional information about 511 Driving TimesSM and how toll tag data is protected, please visit www.511.org/copyright_items/privacy.asp."