Re: He probably meant to refer to bittorrent -- and I'm not sure he's correct
The 90% figure comes from the estimate of the percentage of the web portion of the Internet which is not indexed by the various robots (e.g. google-bot). So, we know this is not the same as the percentage of the Internet that is not accessible via DNS much less the percentage that is only accessible via the use of a TOR browser. The COLP have apparently, taken their juvenile fear of dark places, together with a basic misunderstanding of Internet architecture, and projected this into a fear of everything connected to TOR.
I don't have much sympathy for this guy. He seemed to think he was doing some kind of public service doxing various famed people among the illuminati(???). In reality, he is just an annoying miscreant publicizing any personal information he got his hands on via guessing answers to account security questions. By now, any serious hacker knows you cannot rely on the use of a single proxy to maintain your anonymity. Yet, he made that mistake and he sometimes used screen captures when the same data was available via files. This reveals his lack of true hacker skills. No l33t H4x0r is he! The main reason I don't have much sympathy for him though, is he is a cab driver and I have had some very bad experiences with cab drivers in Eastern Europe.
Despite all that, The US DOJ is still overreaching in its prosecution here. There are 9 counts.
For counts 1-3, wire fraud, they include "...to obtain money and property...". From what is revealed in the indictment and various media reports, he was not selling the information he illicitly acquired or using it for extortion. Yet, they will argue, as with Weev, that he profited from his hacking, so a charge of fraud applies. That charge is not justified.
Count 7, Aggravated Identity Theft: Guccifer's actions consisted of sending an email from victim 4 to victim 3, intending to provoke victim 3. I can see how that fits into identity theft but I wonder how believable, to victim 3, that email was. I doubt the prosecution would want take that into account. My hunch is that, being provocative, it was not so believable and then count 7 would not be justified.
Count 8, Cyberstalking: Without further information it is hard to evaluate this charge. This is what mystifies me though. How can a hacker thousands of miles away be both capable of surveillance and able to harass a victim at the same time? It were talking about control of an email account and possibly other social media accounts, it would seem, that once the victim became aware of the hacking they could changes passwords and answers to security questions and block the surveillance.
Count 9, Obstruction of Justice: This seems too easy to add as a serious crime when it can include any attempt by the culprit to stay hidden or erase his tracks. Recent examples are: 1: An obstruction of justice charge against Barret Brown's mother for putting a laptop in a kitchen cabinet.
2: A recent charge against Khairullozhon Matanov, a friend of the Boston bombers. He erased some of the browser history on his computer not to cover any crime he did (The FBI does not think he was involved) but his connection with the bombers, his interest in jihad, and his interest in news coverage of the story. So, the indictment mentions his erasure of his browser history for CNN coverage of the bombing story as an example of obstruction of justice.
A final issue, is when someone is convicted in a foreign country is there any overlap when the US charges them with similar crimes. Is it fair to convict them of the same crime in two different countries? The indictment even asks for forfeiture when you can be sure Romania has already seized his computer and he did not gain any property from his exploits.
Well, now they've done it. If Tor and Doctorow are going to send 200 copies to the school the principal is going to have to actually burn those copies. Although, maybe shredding is the modern way, so as to avoid air pollution and an increased carbon footprint. A principal's job is to avoid controversy at all costs, including sacrificing education. So, the principal will be forced to do this in secret. I suggest Tor publish special copies with an asbestos cover. They can use the same type of cover used for a special edition of Ray Bradbury's "Fahrenheit 451". The publisher claimed the asbestos based material for that cover was safe to handle but it does preclude burning or shredding which would render the material hazardous.
Nicholson I think is correctly pointing out that technology, blogging and viral videos in particular, have greatly diminished the ability of a publicist to control the public image of a star. She points out that Cruise's publicist, Pat Kingsley, was an especially strong choice for a publicist. Kingsley was able to control media image of Cruise, the propaganda, by using her connections to unfairly force mainstream media outlets to kowtow to her wishes. This (Geigner's) article misses the point though that Kingsley was fired by Cruise in March, 2004. Cruise hired his sister, who is also a Scientologist, as a replacement. The couch incident occurred in May of 2005. Nicholson is pointing out that Kingsley was no longer in the picture. Tom's sister wasn't able to control the negative impression of Tom Cruise pushing, not unlike a drug, Scientology. There are several reasons for that. She may not have had either the desire or ability to keep Tom from doing that. She, as any publicist did around 2005, lost the ability to control Tom's image with the rise of blogging, vlogging, podcasting, memes, and viral videos. Despite the potential for negative image distortion from those new types of media, Tom Cruise, himself, is still greatly responsible for pushing his views involving a rather controversial religion/cult. I agree with Nicholson that this affected his film career after 2005. A star of his caliber doesn't have nearly the number of films his peers have starred in during that period. She does exaggerate his talents, and I really don't understand why she considers him "the last movie star".
I don't think the literal meaning is as important as the context of the core of the name, "science", being used as a label for a belief that is meant to replace religious belief. Thus, it's fair to say scientology is intended to be a kind of worship of science. Well, except that their belief system is just pseudoscience. Scientology completely misses the core of the philosophy of science which is a process of creating theories which are testable and using test results to alter or negate those theories.
At the end of my senior year in high school I organized a group who came onto campus in the dead of night, opened the circuit boxes for all the bells (not fire alarms) and cut the wires. This was primarily a political statement but did have the timing and elements of being a senior prank. I was one of those actually in the halls cutting wires (Don't get excited, statute of limitations has long ago eliminated the possibility of prosecution). We had several lookouts, including outside at each end of a hall (yes, we had copies of keys). Although the lookouts had earpiece walky-talkies one of them was caught unawares by the lone custodian working at night. We weren't aware that custodians worked at night. Luckily, the custodian didn't notice us inside the hall and so we finished and only saw the him and our companion at a distance. We sprinted through the sports fields to the get-away car and were not caught. The administration never connected the bell malfunctions with that student trespasser. The most surprising incident was that the custodian brandished a gun in front of that student. Even back then, anyone carrying a gun on campus was a big no-no. We didn't report him though for obvious reasons.
What strikes me most about this story is that the liaison officer was monitoring the students via social media and was the one who told school officials about a tweet referring to the fake letter. Is this becoming the standard now for school districts across the nation?
It seems appropriate for the police, including the liaison officer, to investigate something that occurred off-campus. What is very inappropriate is that he was investigating who created the letter. That creation is clearly parody, not a crime, and not subject to school policy because it is thought to have been done off-campus.
If the letter was delivered to a specific subset of students homes it could be considered sexual harassment. If so, it still doesn't rise to the level of any crime that I am aware of and isn't subject to school policy because it was off-campus. I do fault Tim for not recognizing the sexual harassment aspect. He apparently missed the session on sexual harassment at re-education camp. I will inform the proper authorities. Tim, sexual harassment is not funny! Vaginas are not funny! No, no... NOT FUNNY!!
I remember that a similar, photoshopped, image was unscrambled by U.S. law enforcement. That person was identified from the picture and arrested. It should be relatively easy to reverse the smearing of the face of the man on the right. Who applied the smearing? Glenn Greenwald, the publisher, or some NSA hack?
I believe I was going to be on the jury pool for this trial. I had been called to show for a trial on March 31st, just the time this started and the estimate was 6 weeks for it's length. Odds are I would have been dismissed from the jury because I know too much about the issues involved. As it happened, I was hit by a car and fractured my pelvis so I couldn't easily get to court. Was I better off?
A good friend of mine is a very religious Christian. She is also very gullible. I am not saying one characteristic is a requirement for the other but I do get chain emails forwarded from her that often combine these attributes. Once, when I brought up Dr. Seuss she told me of his dark side, wherein he had published an adult pornography book. Well, I had to look that up! I did confirm that the book in question was titled "The Seven Lady Godivas" and it was intended to be a humorous story for adults but there was no intention of causing titillation. Yes, there is nudity but it is a cartoon nudity and hardly qualifies as sexual or prurient content. If a cartoon were made based purely on the illustrations in the book, it would be rated PG and not even PG-13. When I showed her the actual illustrations, my friend was amused and disabused of her impression that Dr. Seuss had this ugly dark side. Yet, there are folks out there who feel that even this book is obscene, pornographic, and evil because it has the appearance of a children's book. I wonder if the Toronto library has a copy of this title?
It's amazing to me how naive some journalists are with respect to science or technology. The following quote from the story should tell anyone with even the least understanding of networking that the mesh networks described cannot be secure.
“I just put my router up, and it will connect to anything it sees,” Ms. Gerety said. “You just keep putting up more routers.”
Doesn't the NYT have fact checkers or editors anymore? They certainly do have some reporters who are quite knowledgeable about science and technology in general and the Internet in particular.
Mesh networks are in use in the US although you may not be aware of it. For example, the network behind PG&Es smart meters is a mesh network. Now that one is supposed to be secure, using encryption to ensure confidentiality and exclusivity.
“This kid, when he was in high school was in the top of his class. He was extremely gifted. So he sent a letter to the [London District Catholic School Board in Ontario] indicating that their school system was susceptible to hacking.” The attorney said the school officials were nonplussed. “They said they’d like to test it themselves. He was a quote computer nerd unquote and they didn’t take him seriously.” So the 14-year-old, Joseph claims, went into the computer system and found “all the confidential information.” But then, right when things could have turned criminal, Joseph said his client stopped. “He could have changed everything, and changed nothing,” Joseph said.
This article doesn't expound the problems with laws concerning unauthorized computer access but it is not missing the point either. I don't know what the penalties are in Canada for unauthorized use of a computer but in the U.S. the CFAA is a one-size-fits-all law where any unauthorized access has a maximum penalty of five years in prison. There is a wide range of criminality lumped together as violations of this law and it includes white, or gray, hat hackers who exercise an exploit simply to prove it was possible. Even with the best intentions, if such a hacker accesses a computer they don't have permission to access, the penalty is 5 years in prison. The law against unauthorized access should not have such a draconian penalty. The heavy penalties should apply to those who exhibit more nefarious intentions by also committing fraud or theft based on the information they illicitly acquired.
I agree that a single word, either untouched or mangled, is not secure. This is true regardless of what language is used. Back in the 90's I used to use Hungarian words thinking that language was fairly obscure, only 11 million speak it. Wrong, it is now one of the standard languages used for dictionary attacks.
The current state of password cracking allows secure use of passphrases though. A coarse attack against a passphrase using a dictionary of 20,000 words requires an effort of 20,000 ^ N, where N is the number of words. If N is 2 that effort is 400,000,000 (actually 200 million on average) This is still not secure. 3 words requires an average effort of 4 trillion guesses. This is still not secure particularly if the words are not random but a sentence fragment. The security can be increased with mangling but it is better to choose a basic length without considering mangling. 5 random words requires and average effort of 1.6 x 10 ^ 21. This is very roughly equivalent to a binary key of length 70 (70 bits of entropy) and with mangling can approach a password that, depending on the hashing algorithm employed, even the NSA will, currently, have a hard time cracking in a reasonable time. If one uses a larger dictionary, say 1 million words including all sorts of technical words, a random 3 word passphrase requires an effort of, roughly, 10 ^ 18 guesses. Finally, if a, nonrandom, grammatical phrase is used, it should not be well known (e.g. book title, song title, lyric, famous quote, or a spelled out TLA)
It is good advice to suggest longer passwords. Unfortunately, many websites have a length limit which is too short. My credit union, a Silicon Valley financial institution no less, had an upper limit of 12 characters for passwords used for online banking. I discussed the problem with them about such a limit 3 months ago. As it happened they were in the midst of making changes directed towards making the site more secure. As a result, they increased the limit to 20 characters which is tolerable but not ideal.
A randomly generated password of 12 characters, using a good sized character set significantly larger than the set of alphanumeric characters, is fairly safe. This works well if you use a password manager and don't have to type, much less memorize, such a password. Passwords that don't require a lot of effort to memorize contain less entropy, so they need to be longer to be secure. I suggest 20 characters as a minimum. I used to use book titles along with a random 4 digit number. No longer is that safe. Now, for my 94 passwords, I use random sentence fragments from books along with numbers (I won't disclose any more, security through obscurity does have limited value). I keep all my passwords in an encrypted file. I find I can remember passwords that I use at least once a week. I don't need mobile access so I have not utilized a password manager. My solution is not the only good one and I do test it with a password cracker.
I believe the gist of this story is not so much blaming someone it's that both government and industry rely on an Internet which needs funding for critical areas involving security. One of the NSA's primary roles is ensuring the security of the Internet. That role can be filled by a government agency that provides, at least, funding to create and maintain the underlying code. There will never be trust in code used for confidentiality and authentication unless it is open source. Also, as many people are saying, the NSA can't play this role when it also has the role of spying on communications.
The KQED program about PSS quoted one LA sheriff as saying that this was a test and LASD is not planning to use PSS on a regular basis. Not that privacy was the issue that swayed them against adopting it, rather it was cost vs efficacy in solving crimes. The LASD does care about public opinion concerning surveillance insofar as public outcry can serve as an impediment to the adoption of any particular technology by the law enforcement.
Even if the cameras in the plane were higher resolution facial recognition still cannot be applied to the images. That is, unless you can get the person to look up at the plane somehow. One of the LA sheriffs noted that PSS posed the least intrusive surveillance technique compared to the other new technologies coming in to play.
Whenever there is a credit card or debit card payment involved, a retailer or any other sort of business has a contract with the credit card companies and the banks that issue such cards. That contract obligates the retail business to comply with the PCI-DSS (Payment Card Industry Digital Security Standard). When there is a security breach there will be an investigation which will determine whether the retailer was in full compliance with PCI-DSS. If not, they will be liable, rather than the banks, for losses due to resulting fraud. Also, additional fines can be levied against the retailer. Given this, it is a bit odd that the FTC is trying apply civil penalties via a lawsuit outside of this existing mechanism. There is a lot of argument about whether compliance with PCI-DSS is enough to prevent most attacks. Compliance is expensive, time consuming, and the bureaucratic line item approach misses out on some intuitively obvious ways to better ensure security. Yet, it is at least a fairly comprehensive standard which the FTC is lacking.