A friend of mine is a DA and once told me that prosecutors do not like to have engineers, software engineers in particular, because they require too much proof. During the recent jury selection I was involved in, I told this to a Google engineer who was also in the jury pool. He was desperate not to be chosen because the estimated trial length was 2 months. What was odd was that the defense attorney was the one who dismissed him on a peremptory challenge.
I think the main reason that lawyers are dismissed early is because attorneys on both sides and the judge do not want someone on the jury who can act as an expert on law and sway other jurors contrary to only the presented evidence or to the judges precise instructions.
A potential juror who has expertise in a field applicable to the trial will probably be dismissed because they are less malleable to presented evidence. Worse, they may influence other jurors who may look to them as an unofficial expert witness. I am a software engineer but it was my knowledge and my other degree in psychobiology which led to my dismissal as a juror in that recent 1st degree murder trial. A few years back, I had watched videos comprising many hours of lectures by one of the scheduled expert witnesses, Robert Sapolski. The defendant was 17 at the time he stabbed someone in front of many witnesses. (after I was dismissed I read the appeals court decision which overturned his previous conviction based on the fact that the judge did not allow the jury to properly consider the defense testimony from a psychologist.) I pretty much knew what Sapolski's testimony would be and I knew his personal opinions based on what he said in this interview in the NYT about being an expert witness and how the legal system always lags behind the advances of science and technology: http://www.nytimes.com/2007/03/11/magazine/11Neurolaw.t.html?pagewanted=all&_r=0
The most important issue to me involved studies that showed that the development of the human brain's pre-frontal cortex is not complete until around the age of 25. The result is that the amygdala tends to dominate and young people end up being more impulsive without thinking through and weighing consequences. No big surprise here except for the fact that brain maturation completes at a later stage than most people think and the cause is organic. This was the main rationale behind the Roper V. Simmons Supreme Court decision in 2005 that eliminated the death penalty for those who committed crimes while 16 or 17. I talked about this in a very vague way so as not to sway other jurors before any expert testimony. I even mentioned Roper V. Simmons while explaining how I could not disregard my own knowledge. A juror isn't supposed to consider potential penalties but my knowledge, outside of expert witness testimony, would have influenced my decision to convict for either 2nd degree murder or manslaughter. This isn't absolute as Sapolski himself has noted that criminal behavior can be the result of a "broken machine", with no chance of resolving itself.
I was not terribly interested in serving on a jury for 2 months but I was also being very honest. If I had really wanted to serve on the jury I wouldn't have mentioned any of this. The prosecutor stopped calling on me after that including questions made to the entire group of prospective jurors. I was absolutely the first one dismissed out of that group and left the courtroom, relieved, but also deeply disillusioned about the jury system. I am still disillusioned and the decision for this patent case only reinforces that.
DNA analysis is not part of this study. The saliva samples are only used to measure the level of several classes of drugs. Sure, you have to trust the federal government that they are not surreptitiously collecting DNA samples. I have to say, I do support these kinds of studies and trust them in this very narrow sense. After all, if they really want MY DNA sample all they have to do is offer free beer in the park and collect the cup that I threw out and was already marked as being my sample. Frankly, I'll probably take that free beer, but I will still refuse to give anything more than my identity when the police stop my car, encrypt my Internet communications, and cloak my browser configuration.
Any human study requires consent and that means signed consent. That doesn't mean that the study cannot be anonymized. The signature is stored separately from the rest of the data and does not need to be tied to your particular samples unless you, as a subject, have an interest in seeing the results after the study is completed. The researchers working up the data never see a name attached. Only PIRE should have access to the raw data which, in this particular study, should be truly anonymized with no way to match samples with names. Again, we're down to trusting the government. I have no wish to live my life paranoid about everything. So, I choose, hopefully wisely, concerning what I need to be paranoid about.
I am sure the NHSTA and PIRE (the contracting research outfit) used the presence of uniformed police to encourage participation in the survey by getting them to make that initial stop. Even stopping was voluntary and a number of vehicles in the 2007 study did not stop. The statistical accuracy of the study is dependent upon minimizing refusals otherwise the sampling is skewed from random. The percentage of refusals in 2007 represented a significant increase over the previous study and was a concern. Considering what has been revealed in the past few months about the government collecting information I would expect the strategy of using police to encourage the initial stop would result in even more refusals than before. The study will be much better off having no police presence whatsoever. Additionally, they need to drop the initial surreptitious measurement with the Passive Alcohol Sensor (PAS). Despite the assurance that this is OK under government human research guidelines, I think it is not OK and it is not ethical to do this before consent is given. That measurement makes sense if only considering the statistical validity of the study. However, that practice generates mistrust and will end up decreasing participation in future studies.
I recently spent 4 days as part of a pool of people undergoing jury selection. Juries are a true cross section of people. I was amazed at some of the ignorance displayed and how a person could hold on to divergent beliefs that really contradict each other. This lawyer has to, at least, try to discredit Diffie. For someone who doesn't know he is a god in the world of cryptology, showing the he is a liar by claiming to have discovered public key cryptography may actually work. The fact that this actually undermines the plaintiff's case may be lost on most of the jurors. Even though they are well known, you could probably convince someone that Bill Gates, Steve Jobs, and Mark Zuckerberg are all losers because every one of them is a college dropout.
Calling the 50,000 networks a botnet is mischaracterizing what is going on here. The NSA only achieves its purpose when infecting a router or switch. This is what gives them access to all the data communicated on the attached network. Recall that with Belgacom the infection of IT staff computers was only an interim step, with the ultimate goal of infecting the GRX routers. A router does not run much of the software which makes botnets so useful to their controllers. The NSA would also not ever risk their surveillance capability by using control of a router for other purposes. If the router was not functioning well or doing very strange things then network IT staff are going to notice it and start investigating. Unless there was a stealthy root-kit (not an impossibility) on the router, the malware will be discovered and removed. The OS for routers has less of an attack surface than standard computer OSs. Even if Linux, or some other variation of UNIX is used then a lot of the capability, and thus attack surface, is disabled.
Once a router is infected, if a user's computer or server was infected that malware isn't so important anymore. Those, non-router, computers are updated much more frequently than routers or switches. Also, anti-virus software is not installed on routers. The NSA may even remove malware from non-routers to avoid detection. Then again, they may have achieved some very stealthy malware. I think it is less likely that arrangements are made with major AV companies to whitelist NSA malware. A whitelist is visible to too many people.
This particular leak is going to have an enormous impact on NSA capability. It would behoove any security executive for telecoms, or ISPs around the world to take a close look at their routers.
From the 2007 methodology document: "While the interviewer conducted the verbal informed consent process (see below) for the interview, a PAS reading was taken on all subjects, prior to their consent or refusal of the survey. Because this measure was taken passively prior to informed consent, it was deemed to be acceptable under human subjects guidelines (analogous to observing or smelling)."
I disagree with this rational. The collection of data may be passive, but use of a PAS is much more than just smelling alcohol on someone's breath. you could argue that an Xray was also passive if the device was portable and aimed through the car. After all it is just a different frequency from visible light used to make "observations". A machine that can quantify your physiological state should require consent.
According to their methodology they do not collect license plate numbers. You have to trust them that they really mean it when they say the tests and your survey responses are anonymous. As much as I approve of such studies in general, it is hard these days to trust the government. It would be better if the police weren't involved at all. One indication that they are not out to get you is that drunk drivers are not arrested. Instead they make sure you "get home safely" which probably means parking your car there and taking a cab, under threat of being reported to the police if you disagree. Unfortunately, I don't see how they can keep the police from recording the license plates of such parked cars.
There are a couple of errors in the articles linked to here. The study is not analyzing DNA. I think there was an assumption when people heard there was a cheek swab used that they were collecting cells for DNA analysis. This is incorrect. The swab was used for collecting saliva and had to be in your mouth for 3-5 minutes which is not the same procedure, used for collecting DNA, wherein a swab is used to scrape cells from the inside of your cheek. The saliva undergoes testing in a lab for presence of a bunch of different classes of drugs.
The DailyTech article claims that the use of a Passive Alcohol Sensor (PAS) before getting consent was a new tactic not used in previous studies. This is incorrect as this was done, at least, in the 2007 study as well. I have participated in numerous studies in my life and have read many study protocols and signed many consent forms. I am bothered by this involuntary collection of data. It may be this violates some government mandated protocol for human research subjects. I am not sure about that though. One place to look is here: http://www.law.cornell.edu/cfr/text/49/11.116 which discusses the general requirements for informed consent.
The purpose for collecting PAS data at this stage is to try to characterize the population of those refusing to participate to gain insight as to how this skew to random sampling affects the overall statistics. The PAS device, at least in 2007, was a small device that was velcro'd to the PDA which was held a few inches away as the interviewers asked initial questions. It collected your breath as you answered. You could simply talk away from their PDA to avoid being sampled.
If your breath test showed that your BAC was in excess of .08 then they made sure you got "home safely", apparently, without having you reported to the police and arrested unless you refused their help.
Interesting note for gamblers: They offered a subset of those who refused the study an additional $100 if they would reconsider. I think this subset was around 15% of refusals.
I think it's important to note that Ulbricht has only been charged with one attempted hit as described in the Maryland grand jury indictment. The prosecution is only talking about the other 5 as an argument to deny bail.
Ulbricht doesn't seem to be too concerned about money. He was not living a lavish lifestyle although the Government claims he earned some $460 million in commissions. He certainly had at least 144,000 bitcoins (~$20 million). He expresses concern about recovering funds from the 4 additional targets, yet he is paying redandwhite et. al. (supposedly, the Hells Angels) $500,000 for the hit plus 50% of any funds recovered. The hit on friendlychemist cost Ulbricht #150,000. So, Ulbricht is spending $650,000 to recover some portion of the $500,000 he paid out in extortion money. He is trusting, supposedly, the Hells Angels to tell him how much they actually recovered plus they get to keep half of that. Now, I'm not a CPA or even a businessman, but that doesn't seem to make economic sense.
What we have heard about Ulbricht gives the impression that he is a pretty smart person, yet what he is supposedly doing with these hits seems both naive and incredibly stupid, in addition to exhibiting a callous view of violence that I think is out-of-character. I think the more likely scenario is that Ulbricht was trying to manage SR so that problem people would go away. The game he played meant paying off extortioners and subsequently playing out a charade of hiring hit-men to intimidate and discourage follow-up extortion. I think he knew he was always dealing with people who were trying to play him and this was the best scheme possible to stop that. In other word he knew that the people he was paying to arrange a hit had no intention of doing so. This includes the UC whom Ulbricht probably suspected was, in fact, law enforcement.
If it turns out my theory is incorrect, I can always sell the screenplay, based on it, to Hollywood.
Thanks for clarifying that. I am not surprised about the difficulty of detecting any sort of deception. What should be much easier is detecting a terrorist who is on a suicide mission. It is also the sort of thing that is so rare it is hard to study.
A hypothesis need not be based on evidence, you just need evidence to test it. It might be based on some existing evidence but it's not necessary. I see a hunch as a weak hypothesis. An example of a hypothesis based on a theory that you guess is applicable to something else, is applying the earthquake swarm theory of self-exciting points to crime prediction. Something that Techdirt dealt talked about a couple of weeks ago.
I don't think it is a fatal flaw for TSA to operate on a hunch. It would be extremely difficult to prove the efficacy of any such program for the simple reason that terrorist incidents are so rare. I have not read the report yet but I am rather skeptical about how they came up with a 54% effectiveness value. It's the same problem. Not enough data points for statistical accuracy. It simply not the same to have actors, playing the part of terrorists, testing the SPOT program to increase the number of data points. A hunch may be based on related scientific evidence and anecdotal reports. I think that is OK. What I am completely puzzled by is how a billion dollars was spent on this. I would expect perhaps a few million, mostly for training. The other main problem with it is acceptance by the public. I once went through a 25 minute interrogation by some young woman who was in the Israeli Army at the airport in Tel Aviv. I barely tolerated it because I was surprised by being picked out of the crowd of passengers and the fact that this was THE foreign nation who was noted for being heavy on airport security. I don't think I would tolerate this in the US. Their suspicions may have been encouraged by the fact that I was an American, living in Hungary with a passport issued in Spain, and traveling with a Belgium woman to whom I was not married. Oh, and we had just gotten back from Egypt. Still, the intrusion into our personal life I felt was unwarranted.
"Short of pulling out the battery (notably not an option in some phones), there seems to be little anyone can do to prevent the device from being tracked and/or used as a listening device."
It's not that hopeless. As pointed out in some of the previous comments a faraday cage or bag is sufficient to prevent remote activation of your cell phone. These are now being made and will probably become more common. If you don't care about style, you can just use a mylar bag. There are 2 caveats to keep in mind; 1). Not any bag made from metallized film will do. I have tested anti-static bags that don't work. 2). make sure it is fully closed and stays that way in your pocket or purse.
Your bag is easily tested. Just call your phone while its in the bag. The test is better if it is done in a place that shows the maximum bars for service. For foolproof testing, stand next to a cell tower for your carrier and do the same thing.
This avoids having to worry about; whether the radio circuitry is really turned off or not, getting a phone with a removable battery, secret secondary batteries, or secret RFID chips.
If some of the phone manufacturers are being coy about denying the ability to remotely activate a turned off phone, it might be because they have allowed the phone to be configured to listen while "off". It is conceivable to me (but I'm not convinced) that manufacturers along with carriers in conformance with CALEA might allow a phone to be set in a pseudo-off mode in response to a wiretap order. Regardless, this can still be defeated with a Faraday bag.
I don't really see this as a reason for deciding to no longer read Slashdot. Remember that GCHQ was targeting a subset of Belgacom IT staff, not all Slashdot readers. The Slashdot site, itself, was not compromised or even touched. If they targeted you it would be for whatever sites you were currently using. Your best defense is to maximize security on your own computer or smartphone. It will not make any difference to stop using Slashdot.
There is some hopeful information in the Spiegel article
"The injection attempts are known internally as "shots," and they have apparently been relatively successful, especially the LinkedIn version. "For LinkedIn the success rate per shot is looking to be greater than 50 percent," states a 2012 document."
Reading between the lines: This shows that they had less success at targeting Slashdot as opposed to LinkedIn. This probably has to do with the kind of user who frequents Slashdot. Even among IT professionals, I would speculate that those whose frequent Slashdot are more sophisticated about computer security. They are the kind that would ensure their work computers are updated frequently and would also update the software on their own computers or smartphones often. They are more likely to use less vulnerable browsers or restrict the use or limit the scope of scripts within the browser. A successful QI attack requires not only a vulnerability in the browser but one in the underlying OS to permanently make sure the computer is compromised. Do not ignore a major point here that these attacks were not always successful.
I am guessing here because it has been a few years since I've traveled by plane, but I think there is a separation of function for the TSA agents. The agent who the mother talked to was not the one who is assigned to deal with an, initial, positive test. I don't think these agents are allowed to talk to each other much as that would distract from the primary function of each and possibly distort the mother's explanations in the retelling. (correct me if I'm wrong here). I do think the more important issue here is that the agent who is testing is very well informed about the potential for false-positives and has the knowledge needed to ferret out false from negative without undue delays for a passenger. TSA agents should not have to depend on passengers to explain potential problems. In fact, they should treat such volunteered explanations only as behavioral information about the passenger. If the passenger is presenting new facts to the TSA agent, then that shows a failure in training the agents received.
Terrorist might well be willing to kill or maim other people's young children but I think they would balk at doing so to their own. History has shown a multitude of child abuse but I do believe the children's crusades are a myth. http://en.wikipedia.org/wiki/Children%27s_Crusade
I won't defend the shooter, but the possibility of targeted violence motivated by frustration with ridiculously strict governmental policy should have been part of the security equation taken into account by TSA. This could be interpreted as blaming the victim, but here, you have one of the worst incidents ever (post 9/11) affecting an airport and it was, specifically, the security policy of the TSA which can be pointed to as the proximate cause.