Forgot your password?
typodupeerror

Comment: Re:Police legal authority (Score 1) 114

by IamTheRealMike (#48443435) Attached to: Judge Unseals 500+ Stingray Records

I know, the stingray is essentially a hacking tool. That makes you think though, why on earth is there a large wireless network carrying sensitive data without TLS (transport layer security), or encryption between the modem on the phone, and the carrier? Either the contents are not sensitive, or the carriers / cell phone manufactures are complicit or worse.. incompetent.

GSM dates to 1987. When it was created, the previous mobile telephony standard was analogue - you could listen in on calls just with a regular radio. There was a very small amount of digital signalling to the network, but the field of commercial crypto hardly existed back then and subscriber cloning/piracy was rampant. GSM introduced call encryption and authentication of the handset using (for the time) strong cryptographic techniques. It was very advanced. But it didn't involve authentication of the cell tower to the handset, partly for cost and complexity reasons and partly because a GSM base station involved enormous piles of very expensive, complex equipment that had to be sited and configured by trained engineers. The idea of a local police department owning a portable, unlicensed tower emulator was unthinkable, as the technology to do it didn't exist, and besides .... trust in institutions has fallen over time. Back then it probably didn't seem very likely police would do this because they could always just get a warrant or court order to turn over data instead.

When 3G was standardised, this flaw in the protocol was fixed. UMTS+ all require the tower to prove to the handset that it's actually owned by the network. Little is publicly known about how exactly Stingray devices work but it seems likely that it involves jamming 3G frequencies in the area to force handsets to fall back to GSM, which allows tower emulation.

The latest rumours are that the company that makes Stingrays has somehow found a way to build a version that works on 3G+ networks too called "Hailstorm", but it's dramatically more expensive and as mobile networks phase out GSM in the coming years police departments are having to pay large sums of money to upgrade. The whole thing is covered in enormous secrecy of course so it's unknown how Hailstorm devices are able to beat the tower authentication protocol. Presumably the device is either exploiting baseband bugs, or is using stolen/hacked/court-order extracted network keys, or it was built in cooperation with the mobile networks, or there are cryptographic weaknesses in the protocols themselves.

Comment: Re:FBI Director James Comey may not care. (Score 1) 93

by IamTheRealMike (#48427861) Attached to: WhatsApp To Offer End-to-End Encryption

it's all, once again, a lot of buzzwords, and zero security.

That's a bit unfair. Yes, any security system that tries to be entirely transparent cannot really be end to end secure, but nobody has ever built a mainstream, successful deployment of end to end encryption that lets you use a service even if you don't trust it. There are many difficult problems to solve here. Forward secure end to end encryption behind the scenes is clearly an important stepping stone, and OWS has said they will expose things like key verification in future updates. Just because they haven't done everything all at once, and solved every hard problem, does not mean it's just a lot of buzzwords.

Comment: Re:Beware the T E R R O R I S T S !! (Score 2) 428

by IamTheRealMike (#48417807) Attached to: Republicans Block Latest Attempt At Curbing NSA Power

You're willing to sit on the sidelines while ISIS engages in a campaign of genocide and ethnic/religious cleansing? ...... They're barbarians and they need to be terminated with extreme prejudice.

You're against ethnic/religious cleansing but want to "terminate with extreme prejudice" an entire very large group of people largely defined along ethnic and religious lines .........

words fail me

Comment: Re:So basically (Score 1) 428

by IamTheRealMike (#48417785) Attached to: Republicans Block Latest Attempt At Curbing NSA Power

If the entire government became Libertarian today, it would take less than 10 years for corporations to take total control of governance and we'd have just as much (or probably more) squashing of individual liberties, but no longer any accountability to voters.

Isn't that a contradiction? I'd think a libertarian government would not want anyone, owners of large corporations included, to take over governance. That's kind of the definition of libertarianism, I thought.

Additionally, I'm having a hard time recalling the last occasion on which a company squashed my civil liberties. Actually I don't think it ever happened. Companies, even big ones, are typically very simple creatures compared to governments - they have simple needs and simple desires. Even companies that can't be easily reduced down to the profit motive (most obviously Google in this day and age) still have quite simple motivations, in their case "build sci fi stuff".

On the other hand, our awesome western governments routinely kill people for merely being in the wrong place at the wrong time or receiving a text message from the "wrong" person (see: signature driven drone strikes).

Whilst these governments aren't quite at the stage of drone striking people who are physically in western countries yet, they certainly are willing to do lots of other nasty things, as residents of gitmo will attest. So given a choice between a government that did very little and mostly let corporations get on with it, or the current state of affairs, it's pretty hard to choose the current state of affairs given the very very low likelyhood of companies deciding to nuke people out of existence of their own accord.

There are many powerful players in society and I'm not one of them. Does it make me a crony capitalist or a welfare queen when I decide I'd rather the power go to those I can vote out of office than those I can't?

No, it doesn't make you either of those things. It does mean you have a lot more faith in voting than other people do. This can be described as either very reasonable or perhaps naive, depending on where you live. E.g. in places like America or the UK voting is driven almost entirely by the economy and matters of foreign policy or the justice system have no impact on elections, politicians know that so they do more or less whatever they like. In places like Switzerland where there are referendums four times a year, preferring voting power to market power would make a lot more sense.

Comment: Wikipedia the vector (Score 1) 61

by Bruce Perens (#48386659) Attached to: Researchers Forecast the Spread of Diseases Using Wikipedia

Like others I found the headline confusing. I read it as "Researchers are predicting the use of Wikipedia as a vector for the spread of disease". This may mean that:

  • Disinformation and ignorance are diseases.
  • Memes and computer viruses are diseases.
  • Wilipedia contains information that leads to depression.
  • Instructions on Wikipedia lead to substance abuse.
  • This is getting entertaining, fill in your own reason here.

Comment: Re:About time for a Free baseband processor (Score 1) 201

by IamTheRealMike (#48386621) Attached to: Department of Justice Harvests Cell Phone Data Using Planes

Lavabit is a bad example - the FBI only requested the private SSL key directly after the Lavabit guy refused to co-operate with a more tightly scoped warrant and claimed he had no way to intercept the data of just the user they were interested in (Snowden) ..... a claim that was manifestly false and everyone knew it. If he had handed over just the data of the one user requested, the SSL key would probably still be private. But after proving that he was utterly unco-operative and quite possibly untrustworthy too, the approach the FBI took was not entirely surprising. Additionally it did go through all the motions and there was plenty of oversight of the whole thing - a lot better than some silent interception.

Yes, if the NSA decided that the signing keys for cell tower certificates had to be handed over using some crappy secret national security court then there's not much the phone companies can do. However, it's still good enough to stop your average local police force who just can't be bothered justifying themselves to a judge and going through the overhead of a proper legal request ... which is what TFA says the driving rationale for these devices is.

Comment: Re:About time for a Free baseband processor (Score 1) 201

by IamTheRealMike (#48385353) Attached to: Department of Justice Harvests Cell Phone Data Using Planes

Having a database of the cell towers a phone *should* see in a given region (it should be possible to crowdsource that) should make it possible to throw an alarm if a cell tower with suspicious characteristics "appears" at some spot.

There's no need for a free/open source baseband or really any technical changes at all to fix this at a technical level. Just disable 2G/GSM on your phone (not sure what the equivalent would be for Verizon). 3G/UMTS onwards involves the phone/SIM authenticating the tower cryptographically. That means - only way to create fake towers is to go get the keys from the phone companies. But at least the phone companies can know about it and mount a legal fight, if they so choose. It's not simply up to a donut eating agent to buy some cool hardware and charter a plane. Although in the USA that might not help much, such fights can go different ways in different jurisdictions.

The problem of course is that 3G coverage is usually not as good as 3G+2G coverage.

Comment: Re:should be banned or regulated (Score 1) 237

by IamTheRealMike (#48384675) Attached to: Will Lyft and Uber's Shared-Ride Service Hurt Public Transit?

Do you ever wonder why with this completely paranoid culture we have today why no one ever really worries about getting into a random car driven by a complete stranger in a dark alley in a city in a major US city? Well, it's because the medallion that driver carries is worth several hundred thousand dollars in most cases.

It's because people who are in the habit of assaulting or raping random strangers who get into their cars are extremely rare, and hunted down by experienced law enforcement professionals with great efficiency. It has nothing to do with taxi medallions which 99.99% of people who take taxis cannot possibly authenticate as genuine, being as they are non-experts in taxi licensing. Indeed, most taxis I've been in have visible licenses that are so basic (just a piece of paper with a logo and a photo/name on it) that forging them would be beyond trivial. And if you're the sort of person who drives around trying to entice strangers into your death-cab then printing out a Photoshopped license isn't going to stop you.

Indeed it's only a few US cities that have this crazy medallion system. In most parts of the world taxi licenses are expensive but not THAT expensive. So it can't be medallions that keep people safe.

In general I'm not against carefully thought out laws that have strong and clear justifications for them. I am not some anti-government zealot. A good, solid piece of scientific analysis showing that the costs of such laws are outweighed by their benefits would convince me, ideally backed by studies between areas where taxis are unlicensed vs areas where they are licensed. But I've found that the lawmaking process is very rarely driven by any kind of scientific process like that.

Comment: Not so fast (Score 1) 405

by Groo Wanderer (#48380489) Attached to: Ask Slashdot: How To Unblock Email From My Comcast-Hosted Server?

Before you say such things, you might want to look up the legal morass surrounging mail servers under your direct control and those not. Start with Megaupload and then follow links to the less public ones. There are DAMN good reason to keep your mail server on premises be it home or business, if you don't understand why you might want to educate yourself before giving advice.

                -Charlie

Comment: Speaking as a Comcast victim (Score 1) 405

by Groo Wanderer (#48380035) Attached to: Ask Slashdot: How To Unblock Email From My Comcast-Hosted Server?

I too am a Comcast victim, business class, and I have a mail server on their static IPs. This has been the case for years and while I have seen occasional blocking during inter-company spats, nothing blaket like you are seeing. It could just be the range you are on or it could be something else. What I am trying to say is that it is not those big three blanket blocking Comcast IPs.

I would see if Comcast can give you another set of statics in another range. That may help.

                    -Charlie

Comment: Re:Hey, no worries! (Score 1) 86

by IamTheRealMike (#48376851) Attached to: After Silk Road 2.0 Shutdown, Rival Dark Net Markets Grow Quickly

At some point - probably soon - they'll shut down the last one of these and then there won't be any more. That's how the war on drugs was won!

I know you are being sarcastic, but the number of people on this thread who need a reality check is just amazing.

Why are there no online drug stores running on regular non-Tor websites, accepting money via PayPal? Because they would get shut down and the operators arrested immediately. In fact there used to be one such site, called the Farmers Market, which pre-dated the use of Tor and Bitcoin. And the owners were indeed found and jailed. Since FM was seized there weren't any more like it.

Now we come to this. It appears that the police believe they have a repeatable technique for busting black markets using hidden services. Whether they do or whether it's just a bluff, I suppose we shall see - I suspect they have a technique that is powerful but not all powerful. But I don't know and nor does anyone else outside the law enforcement community, so the people running and using sites like Evolution and Agora are taking big risks.

If the new technique they've developed is powerful enough, it's actually not unimaginable that all such sites would end up being seized.

Comment: Re:Whack a mole; it's govt. policy! (Score 1) 86

by IamTheRealMike (#48376835) Attached to: After Silk Road 2.0 Shutdown, Rival Dark Net Markets Grow Quickly

The fact remains though.... the U.S. post office surely helped facilitate the actual delivery of many of those illegal orders placed on Silk Road, yet we never talk about arresting the mailmen who delivered the packages. We never talk about raids on the post offices to search through boxes held there either.

Um, there might be arguments for what the Silk Road and similar sites have been doing, but this isn't it.

The Post Office in any country is not explicitly set up to facilitate illegal activity. You don't read about postmen getting arrested for delivering packages because they are doing so blindly, they didn't know they were delivering drugs. And you don't hear about raids on post offices because .... duh .... the postal system cooperates with law enforcement when they get a warrant to search mail, along with other ways too.

The charges against Ulbricht and Benthall are "engaging in a conspiracy to sell narcotics". The post office is clearly not doing that, so, no crime.

it seems to me that's little more than a detail that such site operators could get around by simply making broad, more general categories that are clearly usable for LEGAL transactions as well as anything illegal in some countries.

Your understanding of the law is incredibly bad. In law, intent matters a lot. Silk Road 1.0 did in fact have categories for things like books. However its primary purpose was clearly the selling of drugs, as evidenced by the fact that they didn't remove drug listings, had dedicated categories for them, helped mediate disputes for them, charged money on them, and tried to hide themselves because they knew what they were doing was illegal.

If Silk Road had been primarily a book store, and occasional ads for drugs were quickly erased, then there would have been no problem .... but equally no point, because existing sites like Amazon already do a good job of that.

If God had a beard, he'd be a UNIX programmer.

Working...