Nicholas Weaver 's Techdirt Comments

Latest Comments (47) comment rss

  • An Innocent Pressure Cooker Pays The Price In The War On Terror

    Nicholas Weaver ( profile ), 28 May, 2015 @ 05:27am

    Not an overreaction...

    This is not the typical "oh its a suspicious package" overreaction. This was a parked car, on the capital mall, with a pressure cooker in view.

    Pressure cookers ARE bombs by design: as pressure bombs go (aka pipe bombs), pressure cookers are up there, with way more punch than an ordinary pipe bomb but slightly less punch than a fire extinguisher.

    Not only that, but you can easily build a pressure cooker bomb that doesn't have an external igniter but a timer in the bomb itself, so it doesn't look any different from a pressure cooker. In fact, for a timer-based bomb, its easier to do that way.

    So this was far more reasonable than the typical "its a mystery box, call the bomb squad" reaction, but what I would want the capital police to do in this situation.

  • FBI Director Claims That The World's Most Knowledgeable Cybersecurity Experts Are Not 'Fair Minded' About Encryption Backdoors

    Nicholas Weaver ( profile ), 22 May, 2015 @ 10:14am

    I'm so glad to be called uninformed...

    I'm so glad to be part of this "uninformed or not fair minded" group.

    Considering that, just yesterday, I spend my morning writing a non-technical explainer on the latest UXO from the first crypto war that just blew up in our faces...

  • Sriracha Boss On Trademark: Mmmmm, No Thanks

    Nicholas Weaver ( profile ), 12 Feb, 2015 @ 03:50pm

    One thing to note...

    Mr Tran did not come up with the name Sriracha: that town in Thailand is known for a homemade paste pepper sauce. Its different from Tran's famous Red Rooster sauce, but the name Sriracha is not original, so trademarking it would be questionable in the first place.

    Instead, he's trademarked what counts: The bottle shape. The Red Rooster. Etc.

  • Silk Road Judge Won't Examine FBI's Warrantless Server Hacking; Dismisses Suppression Motion On 'Privacy Interest' Technicality

    Nicholas Weaver ( profile ), 14 Oct, 2014 @ 10:18am

    Ulbricht's lawyer is an idiot...

    Ulbricht and his lawyer were given multiple chances to have Ulbricht declare a 4th Amendment interest in the server, including a specific offering from the judge where the lawyer responded "we will rest on our papers", despite this being a very well settled case law.

    The theory being that such a declaration would constrain Ulbricht's legal strategy.. If Ulbricht did provide such a declaration, only if he testified that the server wasn't his would the prosecution be able to say "uh, you said this server was yours".

    But, idiot laywer forgot that the bell has already been rung: Ulbricht submitted a similar declaration (under effectively the same terms), in the civil forfeiture over the 180k odd bitcoins siezed from his laptop. If Ulbricht is so foolish as to get on the stand, the prosecution will go "So, how did you get those millions of dollars worth of Bitcoins on your computer"?

    If Ulbrich replies with anything other than "Uh, you got me", the prosecution then has a rebuttal expert show how those Bitcoins were derived from Silk Road, by tracing all the 100s of law enfocement and other test purchases and showing how the premium flowed into DPR's booty-chest.

    Overall, it feels like Ulbricht's lawyer has a bad hand, but is grandstanding to the tech press and crowd who wants to see Ulbricht as some sort of hero, with talk of general warrants and suchlike. But the only realistic hope Ulbricht had was to suppress the evidence collected from the Silk Road server: as long as the server stands (and it now does), the good ship Revenge is well and truly sunk.

    If Ulbricht's lawyer is wise, he'll get his client to plead out with something that will see Ulbricht released in 10 years, because the feds are throwing the book at him with mandatory minimums, and haven't even started yet with the murder-for-hire charges.

  • Ross Ulbricht Pulls Out A 4th Amendment Defense For Pretty Much Everything

    Nicholas Weaver ( profile ), 07 Aug, 2014 @ 05:30am

    The "throw everything at the wall and see if it sticks" part is doomed to fail, but apparently the standard MO for a good attorney.

    But the big 4th amendment issue is the real deal: A "miracle" is not a justification for a warrant, yet the FBI's discovery of the silk road server is just that, a miracle. EVERYTHING the FBI has depends on that initial server discovery. That even now they have not said how to the defense is a big deal, and should worry everyone.

    I want to see DPR convicted, but unless the FBI found those servers legitimately, in order to protect the liberties of the rest of us, having DPR go free is acceptable to me.

  • FIFA Pisses Away Free Advertising By Banning F1 Racer's Tribute Helmet To Germany's Futbol Team

    Nicholas Weaver ( profile ), 05 Aug, 2014 @ 03:18pm

    Re: Re:

    Even if the event is over, Hyundai/Kia's FIFA sponsorship is paid up through 2022.

  • FIFA Pisses Away Free Advertising By Banning F1 Racer's Tribute Helmet To Germany's Futbol Team

    Nicholas Weaver ( profile ), 05 Aug, 2014 @ 02:16pm

    The World Cup doesn't need "free advertising" after the event is over, its absolutely irrelevant. More importantly, it actually would have cost FIFA a lot to say yes.

    Hyundai/Kia paid an ungodly sum to be the official car sponsor of the World Cup, for use in advertising world wide. Hyundai was not going to want Mercedes gaining a free ride of world cup association because one of their drivers just happened to be German.

    If FIFA had said "yes", complete with that big Mercedes logo in front of the helmet design, any "benefit" from free advertising would have been lost as now every FIFA sponsor knows that their exclusivity can be diluted at a whim.

  • DailyDirt: What's That In Your Food?

    Nicholas Weaver ( profile ), 01 Aug, 2014 @ 05:37pm

    First link is high on the bogosity factor...

    The FIRST one of "questionable" differences was

    1: Corn syrup, while the UK version just had more sugar. Both are equally damaging.

    2: Corn starch, in red, was also in the UK version

    3: The colorant, in red, was probably just the unspecified "color" in the UK version

    4: The fats were just all classed as "fatty acids" in the UK version.

    5: The artifical flavor, in red, was probbaly just the uspecified flavor in the UK version.

  • Tons Of Sites, Including, In Unwitting AddThis Experiment With Tracking Technology That Is Difficult To Block

    Nicholas Weaver ( profile ), 22 Jul, 2014 @ 06:30am

    Re: Ghostery

    Ghostery does block stuff like this, because it blocks the widget from loading at all.

    Of course, the problem is that ends up being potentially disruptive, as now the AddThis widget doesn't display at all.

  • Cop's Wrong Firing Lawsuit Leads To Public Release Of Vulgarly-Titled 'Enemies' List

    Nicholas Weaver ( profile ), 22 Jul, 2014 @ 06:38am

    Ohh, icloud boyz-and-girlz...

    Its "notes" on a iPhone. This can easily be set up to sync (and it complains when it doesn't) through iCloud, plus you get multiple backups through iTunes.

    As a consequence, the right discovery requests could possibly get the edit history of the "Eat a bowl..." list, not just the current state.

    I hope the plaintiff's lawyer is reading this...

  • New Emails Show That Feds Instructed Police To Lie About Using Stingray Mobile Phone Snooping

    Nicholas Weaver ( profile ), 20 Jun, 2014 @ 01:06pm

    Re: what is a confidential source?

    Confidential source can mean a legit confidential source. Or in this case, it means "Fuzzy Dunlop"...

  • New Emails Show That Feds Instructed Police To Lie About Using Stingray Mobile Phone Snooping

    Nicholas Weaver ( profile ), 20 Jun, 2014 @ 12:55pm

    Kyllo v. United States

    I think they are afraid of Kyllo v. United States.

    They are using these things without getting a warrant, yet its very very clear that Kyllo would have these things get a warrant:

    Where, as here, the Government uses a device that is not in general public use, to explore details of the home that would previously have been unknowable without physical intrusion, the surveillance is a 'search' and is presumptively unreasonable without a warrant."

    (In this case, the search was an IR camera pointed at the home, and used to obtain a warrant looking for a grow room).

    Even the dissent in Kyllo was predicated on the observation that "this device didn't penetrate the home, so its OK", which is certainly not the case with a Stingray, which searches within hundreds of homes to find a targeted phone.

    I think they are (rightly) afraid that if warrantless use of Stingrays ever saw the inside of a courtroom, the resulting derived evidence would be thrown out by an angry judiciary.

  • Germany To Begin Formal Investigation Into NSA Surveillance — But Only Of Angela Merkel

    Nicholas Weaver ( profile ), 07 Jun, 2014 @ 06:06am

    They aren't investigating because they cooperate..

    The German government is a user of the NSA X-KEYSORE (the main Internet wiretap) software as well. They outright participate in the bulk monitoring of their citizens. The Stazi would be proud.

  • Guardian Installed SecureDrop Outside The UK, Due To Legal Threats

    Nicholas Weaver ( profile ), 06 Jun, 2014 @ 07:29am

    Re: Re: Securedrop is pointless theater...

    No, I'm being realistic, as an expert in the field. Tor is really good at keeping an adversary from saying "what are you doing over Tor", but it positively stinks at saying "is this person using Tor".

    Tor by default glows in Netflow, since the public relays are known, which everyone keeps, let alone any real IDS which goes "hey, these certificates don't validate, oh, and are odd in the CN/SN structure".

    This is why it was so easy to track down the Harvard hoaxer: "Look in Netflow for contacts to the Tor relays. Thats his IP. Look at the access logs to find out who it is. Oh, its this one person, go knock on his door Mr FBI".

    Alternate plug-in transports to bridge nodes prevents this, but your Tor Browser Bundle can't use those by default, since if it could, they'd no longer be good at hiding "this person is using Tor".

    It comes down to this unfortunate fact: A source which knows how to use Tor without being identified as a Tor user (using Tails on a public WiFi hotspot, ideally divorced from normal habits/movements) already has enough OPSEC skills that they don't need Tor, but can instead use burner phones and the US mail.

    Yet how many sources email the Guardian, the New York Times, the Washington Post, etc and not realize that the mail servers are outsourced, and a subpoena or a search warrant away from every local cop or fed (or Google or Microsoft for that matter)?

  • Guardian Installed SecureDrop Outside The UK, Due To Legal Threats

    Nicholas Weaver ( profile ), 06 Jun, 2014 @ 07:19am

    Re: Re: Securedrop is pointless theater...

    Actually it would achieve a LOT.

    a: The UK government would need to ask for an MLAT. Which is a pain-in-the-ass.

    b: The 3rd party doctrine and the stored communications act and all that crud would not apply. This is first party data now.

    c: The Guardian's lawyer is right there to fight it.

    d (and the most important one): The Guardian would know.

    Just the fact that the knowledge that the newspaper would know when its email was searched greatly prevents Rosen style-incidents, since guess what happens if a search is attempted? It becomes front page news. And those executing the warrants know it becomes front page news, adding in a pretty big check right there.

    So yes, putting your press institution's mail server in your office in the US under your laywer's desk does actually provide a substantial amount of protection for a press institution.

  • Guardian Installed SecureDrop Outside The UK, Due To Legal Threats

    Nicholas Weaver ( profile ), 06 Jun, 2014 @ 05:22am

    Securedrop is pointless theater...

    SecureDrop is pointless security theater: any source capable of actually using securedrop without a Harvard OPSEC Fail doesn't need to use SecureDrop.

    Rather, if the Guardian was actually serious about doing something meaningful, they would run their own mail servers and put them in their US office under their laywer's desk.

    Because, since it is outsourced to gmail, they admit they can't trust their email at all to be private, but do potential sources know that?

  • DOJ's Tone Deaf Criminal Charges Against Chinese Hackers Helps No One, Opens US Officials Up To Similar Charges

    Nicholas Weaver ( profile ), 20 May, 2014 @ 05:04pm

    It really mystifies me too...

    The US keeps making a distinction between economic espionage (where the data is stolen from a company and given to another company) and "national interest" (where the data is stolen from a company and given to US trade negotiators instead). Its one that they believe in, but the rest of the world doesn't.

    And otherwise, the NSA has proven to be as agressive (if not moreso) then the Chinese. After all, the NSA doesn't bother spearphishing once they started weaponizing the Internet backbone...

    So how are any high-up officials in the intelligence community ever going to visit, say, Brazil, which now knows that Petrobras was hacked by the NSA to gain information to the US's advantage? Or any DEA official in the Bahamas, now that its been revealed that the NSA, with DEA help, executed full-take of all cellphone calls?

    I think the reason for it is willful ignorance. The one group most ignorant of the NSA's activities is the US government itself: Because all the snowden slides are still classified, and reports often include the slides themselves, they are like a bunch of kids going "nah nah nah we aren't listening".

    Thus as a result they make stupid decisions, like starting a "arrest for hacking" legal war with the rest of the world, and are going to be facing a world of grief once everyone else goes 'hey, if the US does it to NATO allies, we can do it to them..."

  • Anti-Game Violence Crusader Leland Yee Arrested On Charges Of Bribery, Corruption And Arms Trafficking

    Nicholas Weaver ( profile ), 27 Mar, 2014 @ 08:55am

    See page 83 and 84...

    Its great, describing the gun deal Yee was brokering. You want automatic weapons? Shoulder fired RPGs? Senator Yee is the man for you!

  • Anti-Game Violence Crusader Leland Yee Arrested On Charges Of Bribery, Corruption And Arms Trafficking

    Nicholas Weaver ( profile ), 27 Mar, 2014 @ 05:55am

    Ha, arms dealing...

    Leland Yee is also a notorious anti-gun legislator, to the point of ridiculousness. His biggest focus was on the "bullet button", which is actually something gun control people SHOULD actually embrace. [1]

    A link to the complaint here:

    Thus the gun charge is particularly amusing, basically its setting up a deal (in return for a campaign contribution) with a gun importer.

    [1] Namely, in CA, "Assault weapon" is defined as a rifle with "removable magazine + 1 scary looking feature (pistol grip, flash suppressor, adjustable stock, etc)".

    So someone came up with the "Bullet button": a magazine release that requires a tool, so its no longer removable, and a legal limit of 10 round magazines.

    Now these are great: The gun-types can have their ARs with all the features they think are so cool, they are great home defense guns (far better than a pistol or a shotgun: 5.56 breaks apart much easier in walls and is much more accurate), yet they, well, can't be quickly reloaded!

    So its perfect: The tacticool guys get their tacticool shit, people who want a home defense gun get 10 easy to hit with, break-apart-in-walls shots, but the crazy-wakko-spree-killers are SOL. And the gangbangers always used pistols: its hard to stick an AR down your pants.

    Yet Senator Yee viewed this as a "loophole" and has been fighting it for years. He and a couple of colleagues got a sweeping "assault weapon" ban passed that would reclassify effectively EVERY rifle as an "assault weapon"! (It was so bad that Governor Brown actually vetoed it!).

  • Belgian Prosecutor Looking Into Reports That NSA/GCHQ Hacked Well-Known Belgian Cryptographer

    Nicholas Weaver ( profile ), 04 Feb, 2014 @ 09:49am


    I'd ask the opposite: What kind of person, who sees mail with a link from

    a: Company that routinely sends such mail

    b: Matches semantically with such mail

    c: Would be something they'd want to view

    would NOT click on the link? I think the blame the user mantra here is ridiculous. Such links should be untrusted (no plugins, no scripts), or disabled completely, but to expect users to not click on a link in email destroys the whole notion of sending links in email.

Next >>