I remember reading about Richard Stallman's setup [0] and thought it sounded indeed crazy. I couldn't understand why he needed so much 'freedom'. I do now.
The difference between "tinfoil hatters" and reasonable people like Bruce Schneier now seems to be how concerned they are with their ability to destroy a harddrive, and TEMPEST.
You mean changing the number of "2048" to "4096"? I'm not sold on that being a meaningful improvement to his security, but even so, you realize that change costs him nothing, right? He needed to generate a new key... why not set it to 4096 bits? Everything he does with that key happens in human scale time --- even a 500ms per message delay wouldn't be noticeable.
So, some evocatively named Linux distro recommends the same key size, is what I understand you to be saying, and therefore... what? Aliens really did land at Roswell?
> You mean changing the number of "2048" to "4096"?
No, certainly not. I agree with you; the change from 2048 to 4096 isn't interesting.
The interesting part is that he 1) generated a new key (okay, not actually interesting in itself), 2) is using it in an isolated install, 3) this isolate install is on entirely separate hardware, not just a VM, 4) this separate hardware is new hardware that has never been networked.
Tinfoil Hat Linux was never really about using large PGP keys, you could use large PGP keys on a co-located RHEL box just as well as you could on an old crusty THL box covered with shoes and bluejeans in your closet. Rather, Tinfoil Hat Linux was about cautious (really, hyper-paranoid for the hell of it) treatment of private keys and plaintext. Extremely cautious treatment of plaintext and private keys is what he is currently going out of his way to do.
Is going to such an extreme (new hardware that has never been networked?) really necessary? I don't have the expertise to say. What I can say is that is nearing the sort of baseline paranoid treatment of private keys and plaintext that THL is known for. He's not blinking out leaked documents in morse code yet, he isn't worried about white vans down the street reconstructing the images on his monitor or RF leakage from his CPU giving them bits of his private key, but we are at the point where that is the next logical step.
(And no, aliens never landed at Roswell (or anywhere else), JFK was shot from the Book Depository (and only the Book Depository), and Stanley Kubrick did not film the moon landings (that was done with television cameras mounted on tripods, the LEM lander legs, and the astronauts' chests))
> Is going to such an extreme... really necessary?
Since Schneier's now doing analysis of unreleased Snowden documents for the Guardian, he now has reason to believe that the NSA has a strong motive to see what documents he's working on.
Seems to me that the level of tin-foil-hattery that's reasonable to protect against an organisation likely to be targeting you specifically needs to be an order of magnitude greater than that which is reasonable to protect against a general-population surveillance dragnet.
Well, tin-foil-hattery traditionally refers not only to the paranoia associated with the probability of being watched but also with the malicious or manipulative intent of those people or groups. Schneier needs to protect himself from the possibility of either his data being used in a manner to prosecute or punish or action taken to stifle work he has so far kept private. It's more than reasonable for him to give credence to the threat of a self-interested government agency acting maliciously toward him.
However, Schneier was a target well before this due to the nature of his work. It is exactly the scope of the recent revelations that throws the conventional thinking on where the fuzzy line between an appropriate risk assessment based on position of interest and the general population. When the potential dragnet is widespread and permanent I no longer have to only consider how important I am now (which I'm not), but I also have to consider if I will ever be take on a role that IS important not just now, but then.
Just out of curiosity - assume you took a key of 8096 bits - and it is super long - could you then make a hash of the key which were shorter, and provide the hash, with instructions on how to reverse it, and then use the hash to produce the 8096 keylength with less digits between you and the recipient?
Are you asking whether you can compress an RSA key?
Anyways: don't use 8192 bit keys. Whatever kills the 4096 bit keys is going to kill RSA along with them. Honestly, I think 4096 bits is also kind of a you're-kidding-yourself key length; if attacks on 2048 bit keys became tractable, RSA is probably in serious trouble.
Dude, Get your ass to SF so I can buy you the many beers I owe you!
I get truly excited when I see your replies, I'd love to banter in [inebriated] public! With that said, may I please make the humble request;
Yoou have contributed a shitload of awesome comments on the state f "who-the-fuck-are-we-kidding" with respect to encryption and privacy in light of what we actually know now related to the NSA....
Would you please create a post, in an Explain-Like-I-Am-Five-Years-Old manner on both the state of the capabilities of the NSA, the state of current encryption tech/methods we rely on, AND what the heck I, as and individual, could/can/should do about protecting myself.
---
I can speculate all day long about all sorts of things, but I am asking - given the NSA-Fatigue I suffer from - fr your help.
I WILL PAY YOU FOR THIS SERVICE; Set the price at $20 for the best recommendation. Crowd-source your network of people who have enough info to contribute to the recommendation...
Aside from smashing my machines and cancelling my power utility, I have no clue how to regain privacy at this point.
Then we will drink, and e Merry, Pippin and Sam!
EDIT: Tawny Port May be responsible for this post.
No - one of the main points of a hash is that it is non-reversible.
Also, if you had a short string that could be expanded into the larger key, then what you really have is a short key to a slightly different crypto system, which is less secure than the original key in the original system.
Also, if you can significantly compress a string of truly random data, you can also probably compress digital video by a significant factor as well, and should therefore found a startup selling your groundbreaking compression technology.
Also, from your Tinfoil Hat Linux link, this idea is hilariously awesome:
Keystroke monitoring — THL has gpggrid, a wrapper for GPG that lets you use a video game style character entry system instead of typing in your passphrase. Keystroke loggers get a set of grid points, not your passphrase.
I wonder if it might be possible to implement that idea into other operating systems?
Air gapped with new hardware: "Since I started working with the Snowden documents, I bought a new computer that has never been connected to the internet. If I want to transfer a file, I encrypt the file on the secure computer and walk it over to my internet computer, using a USB stick. To decrypt something, I reverse the process. This might not be bulletproof, but it's pretty good."
Air gapping is certainly not unprecedented, but individuals using it have traditionally been considered pretty "tinfoil-y".
edit: "I wonder if it might be possible to implement that idea into other operating systems?"
gpggrid itself could probably just be built on any other Linux install. Certainly it could be recreated. One of the neat features of TFL that I really like is the idea of blinking LEDs on the users keyboard instead of displaying things on screen. Effective? Who knows... but certainly amusing.
IF he was serious he would be burning CDs/DVDs instead of using a read-write USB stick. It is tedious, but blank media is cheap and there is precedent (that I'm sure Bruce is aware of): The DoD's own (classified) SIPRNet was infiltrated via a flash-drive based virus back in 2008.
I kinda thought the same thing about flash-drive viruses, and why Bruce wasn't using CDs/DVDs instead. Then I realized if he was really serious, he wouldn't say what he's really using, and he'd have a USB honeypot plugged into his network-facing computer.
Note that he didn't say what software he's running on the new air-gapped computer. The difference between locking down one air-gapped PC running only software required for encryption and locking down the entire network of PCs running the wide variety of software required to do everything everyone needs to do on the SIPRnet is huge.
Another approach might be to set up an old-fashioned serial link between the machines. It's easy enough to observe and audit all the traffic that passes through a serial cable.
The switch is electrical and advisory. The SD card reader is free to ignore it.
Search for "Bootable SD Card Method" here: http://chdk.wikia.com/wiki/Prepare_your_SD_card (I have a Canon camera that runs CHDK. Those instructions work, and the camera can write to the SD card.)
The SD card switch is actually read by an external physical sensor (a tiny button like the write-protect buttons inside of ancient 3.5" floppy drives), at least on most SD cards. I had an SD card whose switch wasn't quite thick enough to trigger the writability sensor of an SD card reader, so I had to wrap it in tape.
He's not doing that because of concerns about PGP, just to be clear, but because his host computer isn't secure (none of ours are); he's doing basically the same thing as the people who run their browsers in a VM, or the same thing that security professionals tell business owners to do when they want to access their online banking.
The general idea is to use a machine which has minimal opportunity to be compromised through other activities. There have been known to be exploits that allow a compromised VM guest to compromise the host, and obviously if you compromise the host you can compromise all the other guests.
Using a separate VM is worse than using a separate physical machine and better than doing nothing. Whether it's "good enough" depends on who you are. Who are the plausible attackers? What do you stand to lose if it goes wrong?
The VM is easily vulnerable to the host OS, so running in a VM only protects the activities you do in the VM in the sense that the software pwning the host might not be looking for it. So not really.
Unless you are not using the host OS for anything _other_ than virtualization. If the host OS is used to host VMs[1], which are then used for specific tasks (casual browsing, banking, development, etc). Any exploit will be limited to the VM. This would be a pretty solid setup. It is only vulnerable to attackers that have direct access to the hardware, or have the ability to exploit the hypervisor.
[1] in other words if the host OS is used as a hypervisor, or if the host OS _is_ a hypervisor.
> Germany's best-selling PC magazine
c't periodically distributes "Bankix"
on their CD.
>I believe that quite a few people
actually use it.
That sounds like a great attack vector. How secure are factories where discs are pressed? Even without access to the factory you could buy a bunch of magazines and repackage them with compromised CDs.
Someone would probably notice, checking the DVD against a checksum.
Repackaging it seems to be tricky, since the paper inlay is bound in the magazine, it's not just stuck on the cover or whatever. You tear it out at a perforation, leaving part of the DVD cover inside.
There are much more exposed attack vectors on online banking users, I would think.
And you can always just download the ISO and check it against the hash (and the PGP key).
I've set up VMs for people with their credentials in the VM and nowhere else, and the host firewalled pretty restrictively such that that VM is pretty useless except for banking. I suspect compliance is high on systems like that.
Most European banks do. Only few US banks do. Primary reason for this difference is that it's trivial to transfer money from one European bank account to any other bank account. It basically works like email, where you can just enter any destination bank account number. With US bank accounts the process is much harder, as you first need to add and confirm the second bank account (which somewhat reduces the risk of what can happen if someone gets access to your account).
We're almost to a point where the question isn't whether or not they support it, it's finding out that they have a program, clicking through tiny text links at the bottom of pages, and figuring out how yet-another-implementation works.
The major ones that I've used do - Chase and Bank of America, both through sending codes over SMS to login and perform certain activities once logged in. For BoA, even if you stole my password and browser cookie (to get past the login check), you still wouldn't be able to do anything but pay my bills for me. Anything that might send money to a new destination, like creating a new billpay recipient, changing the info of one, or adding a wire transfer destination, requires an additional 2-factor code.
Both my banks do (European banks, specifically Rabo and ABN/AMRO).
These are still not immune to phishing attacks but it's a lot better than TAN codes or some other 'dumb' authentication scheme.
Typically these systems work in conjunction with pin-and-chip card, a small piece of hardware that generates the codes and a challenge / response system built into the website you use for the authorization.
Separate challenges exist for logging in (read access) and transferring money.
Those are common in Brazilian banks as well. At least four of the six biggest (I don't remember about the last two) do two-factor authentication.
Another cool thing I've seen in Banco do Brasil was the need to authorize the computer you're going to use in a ATM or in a 1-800. If I recall correctly, they do that with a Java applet.
Recently they also launched a common-malware-search-and-destroy application of MANDATORY use in Windows computers (my mom uses, she asked me. And yes, the digital certificates were all valid).
My American Express personal savings does. HSBC does and even allows you to enter your 2FA on a JavaScript keyboard (clicky click) if you choose to mitigate the threat of a key logger.
Given what we know about USB sticks, especially their use in Iran, you would have to be ABSOLUTELY FUCKING RETARDED to trust them.
Oh so he encrypted his files, and walked them between his stand alone and his internet machines. Yeah, okay this established the file's integrity, and that's just fantastic.
But what assurance does he have that the USB stick isn't getting infected on the internet machine, and then deploying stealth hacksaw services onto the standalone, to buffer and relay data and commands each time it jacks in?
I mean, that's exactly what Stuxnet was designed to fucking do.
It's different if you own your own USB stick and only use that stick, and have the hosts configured correctly. Arbitrary USB devices picked up off the ground or provided by malicious people do terrify me, mainly because they can be keyboards or whatever in usb-stick physical packaging.
Even USB sticks that are your own USB sticks could be keyboards or whatever. Unless you've verified it isn't a store bought USB stick is just as risky as one that you picked up from the street or that someone gave you, in both cases you have no idea 'where it's been' before it got into your possession.
No, the vast majority of USB sticks in the world are not pwned. If you randomly go out to purchase one in a large market, it's pretty likely to be safe.
Things like the Bagram PX were concentrations of high value targets with only one source of supply. The general USB stick marketplace is a lot safer. In China they're often fake and thus unreliable (smaller than advertised), but in the US, I'd be pretty comfortable driving to a Best Buy 50 miles away and picking up a random USB token.
A USB key someone hands you is much more likely to be a targeted attack. A USB key randomly lying on the ground outside a target is also much more likely to be an attack.
The vast majority of USB sticks are lost, not attacks, the vast majority of USB keys handed to you are handed to you in good faith, not as attacks.
That doesn't mean there are no attacks.
So prudence is adviced in either case, on the off chance that the one that you have is a bad one. Ditto for anything else that you stick into a USB port.
That webcam plugged into your computer, are you sure the mike isn't on all the time and that the driver doesn't pass your speech during the day out in compressed and encrypted form to some server farm at night ;)
Just like bareback sex with partners who remain monogamous for the duration of your relationship, repeatedly sticking the same USB device into your computer is a lot less risky than sticking a wide variety of USB devices of unknown provenance into your computer...
Air-gapping is really the only way to stay secure. Plus, I would worry about cameras, microphones and vibration monitors, so I would want to put the air-gapped machine in a room that is away from any other electronics. Ideally in some sort of faraday cage, or at least located a reasonable distance away from walls - to bring it up to TEMPEST (or similar) standards. Unfortunately, most of us do not have the space in our homes to do it properly, so we have to resign ourselves to losing control of our machines and our data.
I see a new product. The air gap - a micro computer that takes simple commands, like mail, ftp and get, to serve as a simple go between layer for people who want this kind of privacy.
IMHO, the hard part would be creating the interface on the on the pc.
Julian Assange worked on projects relating to maze navigation, theorizing that people could memorize the muscle sequences but not be able to tell them under pressure, or fail under pressure.
Randomizing the position of landmarks eg. go to A, B, E, C, F, then showing a map could let the user enter a different sequence of keystrokes to get the same result.
Surely a virologist can be considered more reasonable about related matters of personal than the general public (who cannot even be trusted to immunize themselves or their children, and cannot be trusted to trust modern medicine instead of roots some hippy pulled out of the ground behind their shed).
Bruce isn't a nutter. I don't think many people would actually argue otherwise.
> "Trust no one! Suspect EVERYTHING!", I can say today without sounding crazy.
It's really not that hard to say this seriously without wearing a tinfoil hat. I've been doing that since high school.
The key is thinking in terms of operations, rather than in terms of generic trust. You need to know what you're doing, maintain opsec and have a strong, realistic threat analysis. For me, the Snowden cascade hasn't changed anything: if someone can penetrate the USGov's defenses, then they can almost certainly penetrate mine.
And that has always been true.
The revelations are a matter of ideological trust--trust in whether or not someone agrees with you--, but the USGov has never had much of this kind of trust, not even at its founding, nor has it ever acquired it.
Mainstream media bombardment and constant advertising harassment do a pretty good job of mind control, though.
Also, culture is the best mind control. Raise people with a mind set the way you want it and you never have to do anything directly, because they already are siding with you even through cognative dissonance.
You could be right. Or it could be the exact opposite. Or something else. It doesn't matter. Fundamentally we do it to ourselves, because we're herd/pack/social animals. We shun anyone too different from the tribe, it's in our DNA. Because of that, we are highly evolved to fit in.
Yeah, we're self aware and all that, we have choices, but what we generally choose to do is identify with some group and hate opposing groups. It's what we do.
In England and Wales, truancy is a criminal offence for parents.[6] Since 1998, a police officer of or above the rank of superintendent may direct that for a specified time in a specified area a police officer may remove a child believed to be absent from a school without authority to that school or to another designated place....
It's not that widely known, but you can remove your child from state education as a parent and teach them yourself. You just have to tell the local authority you're doing so in writing.
>Although mind-control waves still aren't, TO THE BEST OF MY KNOWLEDGE, a thing.
knowing that you're under constant surveilance and your every step/action is recorded makes wonders in the way of shaping and controlling your behavior.
Too often people forget that propaganda machines (media outlets) and biased education materials significantly shape the perspective people have of the world. That's the kind of 'mind control' which matters.
The original idea of a "tinfoil hatter" was that the "hatter" wore a head garment made of tinfoil, to block the mind-control radio waves the [government|aliens] were using to take over people's brains. I don't think we have any particular indication that is likely, yet.
Everyone cares if they would [and that they are]. What is immaterial is what technology the governments use to spy on their people, especially unlawfully.
To be fair, there is plenty of documentation that diverse subliminals find their ways into television programming, and even the music in supermarkets. Just like Fight Club.
Effectiveness of subliminal messaging (i.e. visual and audible signals which are so quick/quiet/subtle that they're available only to your unconscious mind) is not that hard to test in a laboratory, and studies are pretty conclusive that it it doesn't influence decisions unless the stimulus is presented within a few seconds of making the decision (i.e. grocery store aisle).
People are definitely swayed by overt, liminal signals in subtle ways, but subliminal messaging specifically was created by an ad agency and the science was pretty well debunked.
Well, we're probably just a few short decades away from us being able to influence things around us (and possibly even animals) with mind control. At that point you'd have to believe the government would be already working on ways to get into people's heads.
"Trust no one! Suspect EVERYTHING!", I can say today without sounding crazy.
What's seemingly worse/more crazy is many of these materials date for 4-5 years ago (2008-09). If these data were public, it would have potenially casued huge behavioural shifts.
In that way, its reminiscent of 9-11 where the damage was done not on that day, but the years earlier when the bad guys were training in plain daylight.
Regarding the kernel.org hack: Even with git’s hashing, wouldn’t an attack on Linus’ – or even a subsystem maintainer’s – computer still be a viable way to get code into the kernel, as said code would be a variant of new, unpublished code rather than changed old code?
It wouldn't be particularly easier to do it that way than just submitting your subversive code normally. Either way your change would need to be "underhanded" such that anybody viewing it wouldn't suspect anything.
In fact, trying to slip it in under the radar like that would actually just increase the chances of getting caught, because then it becomes something that isn't suppose to be there instead of merely something that does something that it isn't suppose to do.
If you can come up with a backdoor that requires the non-obvious interaction of multiple parts of the kernel (or parts of the kernel and certain user-space actions) then it would be reasonable to break up the necessary changes and slip each one in as a part of a larger demonstrable improvement to each specific subsystem.
For example (completely hypothetical), you could create a race condition in the kernel's page allocator that can be reliably be triggered by filling up physical ram and then forcing the kernel to allocate more memory for itself by filling up the proc table past a certain size. So in one patch you include an improvement to the allocator that has this obscure race condition but otherwise makes the allocator work much faster. Then in another patch you increase the maximum size of the proc table (under the pretense of supporting some big-iron system that practically no one outside of some HPC centers own) so that filling it up will force a kernel page allocation. So then you can force the exploit to occur on any system with both patches installed simply by allocating all the physical ram and then creating a ton of do-nothing processes that max out the proc table.
If you are an organization like the NSA you could even have the submissions come from what appear to be completely independent developers.
It is kind of the exploit version of "parallel construction." You know the exploit you want to put into the kernel, you just need to come up with reasonable sounding explanations for every little patch that ultimately gets you to the end goal.
That reminds me of a story I read about how the satellite companies foiled carders by slowly building up a new decryption system out of apparent garbage released across a long string of updates. I don't dare to search for it though, so I don't have a link.
There is every possibility, however, that there is open-source code in the Linux kernel that, at runtime, interacts with specific microcode instructions that can backdoor a system. Runtime remote backdoor triggers are more useful anyway, because the one thing the NSA can't do is hide from network sniffers. (Of course the best way to hide would be piggybacking on something like automatic software update requests - which I happen to disable, as a nod to my tinfoil wearing brethren.)
How many security exploits have been found in the Linux kernel, or other trusted software? How many of those were around for a "long time"? Every one of those got by the normal peer review process.
So the question is, which is harder: does it take more skill to accidently insert a bug that gets by (sometimes for years), or to do so on purpose?
The use of malware in police enforcement is truly a unique event in society. At what other point in history has police distributed a completly illegal tool onto unsuspected and non-targeted civilians? It feels like a total unexplored area of liability laws, so I look with excitement to when the first lawsuit starts.
Some people have compared malware with guns. This is to me a very bad comparison, since guns actually have legal usage like hunting or self defense.
A better example would be a under cover cop, selling real drugs to real people with the intent to impress a local drug cartel. It has to my knowledge never happen, but it would be interesting to know if the cop could be held liable if someone dies from a overdose from those drugs.
Let say that a police virus spreads out of control, and infects millions of computers. What if this specific firefox exploit get copied by a botnet, and is used to execute credit card stealing software on unsuspected users. How liable can the police become when millions of people are effected? I really have no clue.
It's possible that installing malware on a machine could be legal if the police have a warrant to wiretap that specific machine. However, in this case, they indiscriminately pushed malware to thousands of users on that site, many of whom were probably not doing anything illegal. So how does this not violate the Fourth Amendment?
The Fourth Amendment says: "No Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized."[1]
This is ridiculous. Acetaminophen is Tylenol. Are you seriously trying to make the argument that Tylenol is a poison?
Arsenic is a poison. Lead is a poison. Cyanide is a poison. Tylenol becomes toxic at a certain threshold (like every other substance on the earth for that matter).
Sure, it is toxic to your liver in large doses. That isn't why Tylenol 3 is Schedule II while pure Codeine is Schedule II. The difference is in dosage. Tylenol 3 tends to come in doses of around 5mg Codeine to 300-500mg Tylenol. You get T3 when you have a tooth taken out, or maybe some minor stitches. You are also only given a few pills.
You get pure Codeine when you break a bone or stick a pencil through your eye. Or one of the stronger codeine-derivatives (oxycodeine, etc). These come in larger doses and are more prone to abuse.
Hence Schedule III.
I'm no fan of the DEA or the schedule system...but the "Government" isn't poisoning anyone. That's pure FUBAR and true tin-foil-hattery. Its a classification system for the abuse potential of perfectly legal drugs.
The FDA is considering a black label warning for acetaminophen and recently changed the max "recommendation" down from 4 grams daily to 2.3g (IIRC). It is most definitely a liver toxin with therapeutic index that's not so amazing.
People get prescribed ratios of 100:1 APAP:hydrocodone (750/7.5 for example) - it's idiotic from a health and safety perspective. If you need opiate painkillers such as hydrocodone or oxycodone, the extra APAP is unlikely to be of much benefit, and you can always just take some APAP on the side. The APAP is there purely to "prevent" abuse.
I'm not suggesting the "Government is poisoning people" as a conspiracy, I'm suggesting the same idiotic politics and ideas at play during alcohol prohibition are still alive.
Yes, but in rare cases. Acetaminophen is not the easiest thing in the world for your body to deal with. But this is technically correct and in the 99 percent case you're correct so this is kind of belaboring the point.
Sure, but you can make that argument for virtually any substance. A particular combination of genetics and <insert molecular compound> will equal a bad reaction in some portion of the population. It's practically guaranteed due to the nature of genetics and statistics.
> At what other point in history has police distributed a completly illegal tool onto unsuspected and non-targeted civilians?
It might be a stretch but..
"LSD was one of the materials tested in the MKUltra program. The final phase of LSD testing involved surreptitious administration to unwitting non-volunteer subjects in normal life settings by undercover officers of the Bureau of Narcotics acting for the CIA." - http://en.wikipedia.org/wiki/Project_MKUltra
Thank you. It was a covert human research operation experiment rather than police enforcement, but it still bear some meaning on this issue. The government offered one victims family an out-of-court settlement of $750,000.
If the government release a virus and it cause damages, government might be found liable. Still, an out-of-court settlement is not exactly a predicate, so its hard to know what would happen.
I think the most troubling aspect of this case is that the FBI modified the computers systems before Ireland seized them as evidence. It seems absurd that law enforcement can effectively tamper with evidence before it is secured, then use that tainted evidence as part of a prosecution.
Is there any indication that this evidence is used? This was under discussion around the Bundestrojaner in Germany whether such a computer can be used as evidence. I doubt that this won't come under severe scrutiny at least in Germany.
> It has to my knowledge never happen, but it would be interesting to know if the cop could be held liable if someone dies from a overdose from those drugs.
From some quick researching, it seems the government in the US is more and more prosecuting the dealers, or even the person who gave someone the drugs if there is a death. You give your friend Bob some methamphetamine, and Bob dies, you're more than likely getting charged with second degree murder if they can prove you are the source.
>At what other point in history has police distributed a
>completly illegal tool onto unsuspected and non-targeted
>civilians?
For quite a while. Law enforcement have installed physical surveilance and tracking devices since as long as they have existed - and unsuspecting innocents have been caught on those tapes and recorders.
It's also a question of whether those tools are illegal - there may be laws against them , but the government can get special permissions
For a wiretap, they'd definitely need a warrant. And I think there was a recent court decision that says that police need a warrant to put a GPS tracker on someone's car. What they did here was to install malware on thousands of machines, without any probable cause to believe that any specific machine owner was involved with child porn. If I understand the law correctly, they would need to obtain a specific warrant for each machine they wanted to search.
Let's say that there was a store in a neighborhood that was known to sell child porn. No judge would sign a warrant that gave police permission to put a GPS device on every car in that neighborhood to track whether they ever visited that store (and they may have visited but bought only legal merchandise). So why is it different if you do it on the internet?
A better one would be 'Would a judge give a warrant to allow the FBI to place a GPS tracker automatically on everyone who visited a store that was known to sell child porn?'
I think my analogy is more accurate. There were many independently owned web sites (stores) hosted at Freedom Hosting (neighborhood), and not all of them carried child porn. You could visit one of the legal sites without even knowing that there was child porn being hosted by Freedom Hosting (or even knowing where the site was being hosted).
From the article:
Freedom Hosting was a provider of turnkey “Tor hidden service” sites — special sites, with addresses ending in .onion, that hide their geographic location behind layers of routing, and can be reached only over the Tor anonymity network. Tor hidden services are used by sites that need to evade surveillance or protect users’ privacy to an extraordinary degree – including human rights groups and journalists. But they also appeal to serious criminal elements, child-pornography traders among them.
"Freedom Hosting has long been notorious for allowing child porn to live on its servers. In 2011, the hactivist collective Anonymous singled out the service for denial-of-service attacks after allegedly finding the firm hosted 95 percent of the child porn hidden services on the Tor network. In the hearing yesterday, Donahue said the service hosted at least 100 child porn sites with thousands of users, and claimed Marques had visited some of the sites himself."
So this paragraph of the news report suggests that sometimes Anonymous and the FBI can be united in the goal of stopping child pornography, although not united in how they try to deal with it.
Please tell me more background about that. (I recall mention of this before on HN, but I'm not recalling many details.) What's our best information on how leadership of Anonymous has changed over time?
AFTER EDIT: Thanks for your link, which I think came as an edit to your comment. Here is a link to follow-up news:
But his FBI handlers said he was "brilliant, but lazy": they discovered him selling stolen credit card details on Facebook, and traced him to his home when he used an unguarded internet connection to go on the 2600.com site, which is popular with young and old hackers.
Is 2600.com a honeypot for the FBI? How'd Sabu expose himself by merely visiting that site?
Speaking of which, there's publicly available security software that can (try to) identify original sources of phrases, identify links between websites and who said what first, etc. One example: http://www.paterva.com/web6/products/maltego.php
Someone else should step up and give a comprehensive overview, because I can only recount the timeline from memory, not provide sources. But iirc, Anonymous was a loose coalition of random people on the internet, some of which turned out to have some basic hacking skills. They weren't really taken seriously until they embarrassed HBGary. At that point, the FBI began investigating them. Anonymous changed their name to LulzSec (or possibly AntiSec). The FBI used standard police techniques to infiltrate and eventually dismantle the those groups. The technique was simply to 1) figure out who was a member of Anonymous, 2) threaten them with prosecution unless they cooperate, 3) repeat. This eventually led them to turn Sabu, Anonymous's leader. I'm going to dig for an interesting HN comment I remember reading about the relationship between FBI, Anonymous, and the takedown of Freedom Hosting.
In order to be friendly to mobile users, I'll copy-paste the comment here (although the link is worth reading because of the informative replies):
---
redthrowaway 40 days ago | link | parent | flag
Interesting. Freedom Hosting had been a target of Anonymous' Operation Darknet from the beginning--they're well-known for refusing to take down exploitative sites. Operation Darknet is, itself, a pretty interesting phenomenon: Anonymous hacks onion sites, then hands over user information to the FBI for investigation. Anonymous does what the FBI legally can't, and in exchange they're not prosecuted for it. I can't find the article now, but I recall reading an interview with an FBI agent in Wired or Ars or some such where he described the anons as "Internet Superheroes". (sic)
That, in and of itself, is kind of curious. Curiouser? One of the original Op Darknet principals was Sabu. You may remember him as the hacker the FBI rolled and got to bust up LulzSec. Sabu was turned by the FBI on June 7th, 2011.[1] Operation Darknet began several months later, in October, 2011.[2]
The obvious question, then, is this: Did the FBI use Sabu to entice Anons into attacking child porn networks, thereby evading the laws against them doing it themselves? Did they use the fact they turned a well-known hacktivist to help them deal with criminals they lacked the legal tools to go after? Is this arrest the culmination of those efforts?
LulzSec was not Anonymous. While some of its membership may have overlapped, that doesn't really mean anything, because anyone can be a part of Anonymous, simply by carrying out acts in the group's name.
Sabu forgot to activate TOR before logging into IRC just a single time, and the FBI was able to locate him. Sabu was the legal guardian of his siblings, and was pretty much told that he would never see them again if he didn't cooperate with the feds. And so Sabu became a mole for the FBI, spending the next several months trying to elicit identifiable information from his own crew. For the most part, it worked.
What's interesting is that at least one of his fellow hackers is already out of prison, and the rest are going to be out in a few years. Sabu on the other hand, being a United States citizen, faces much harsher penalties than his European counterparts even though he was the only one with a deal. If I had to guess, best case scenario he is going to be sentenced to 10 years. To be honest though, I wouldn't be surprised if he got a few decades more.
Also, Sabu didn't have to manipulate Anonymous into attacking CP networks. It's something that they do on a semi-regular basis. They did it before Sabu, and they are doing it now.
That's the ask.fm profile of Topiary, the LulzSec leader that spent some time in prison. There's quite a few interesting answers regarding what LulzSec actually was and some of his opinions of Sabu.
Like I said, that's just a guess based both on the severity of his crimes and the tendency of the United States to overreact to anything that involves a computer.
> The FBI used standard police techniques to infiltrate and eventually dismantle the those groups.
Seriously, how do we know the FBI's story isn't "parallel construction"? It always seemed to me that tracking down Anonymous would be easy if you had NSA-scale monitoring. I don't want to sound like paranoid guy, but maybe the FBI's stories about tracking down clues from chat logs are all made up.
Basically, the NSA is suspected to cooperate with other arms of the government, such as the DEA. The NSA supposedly provides information about who is involved in what illegal activity. Apparently this information is provided illegally, without a warrant. So if the DEA gets info from the NSA, the DEA needs to make up a story about how they came to possess that info, since that info was collected illegally without a warrant. That's parallel construction.
I don't know whether NSA would bother with a target like Anonymous, but it's not outside the realm of realistic possibility.
The biggest question is, how did the FBI identify Sabu? He supposedly revealed himself by visiting the website 2600.com, and selling stolen credit cards on Facebook. But how did visiting that website reveal Sabu?
Actually, now that I think about it, the best explanation is probably the simplest: 2600.com probably runs forums, and Sabu probably posted to those forums from his home IP address like an idiot. So the FBI simply demanded his IP address from 2600.com.
I'll look for the article, but as I mentioned above, the way I understand it is that he logged into IRC without using TOR or a VPN one time and they got him.
Lulzsec was a group of people that split from anonymous. They used "AntiSec" as their slogan. Anonymous is still around and often they either disagreed or completely fought against what Lulzsec was doing.
Anonymous itself does not have leadership, it's more of a swarm mentality.
Ya, you were being cute, but Lulzsec was Sabu and his group. Anonymous is whatever a random group of people decided to that day and call themselves Anonymous. Tomorrow it will be a different group of people with a different and potentially conflicting cause.
It's still a proper noun relating to a specific group of people. It's like a team name - just because the roster of the Steelers change over the years doesn't mean that 'Steelers' is not a name.
Edit: 'Anonymous' is a team name, I mean, not 'God' :)
God is an idea that makes people feel better about themselves and to put themselves on a moral high ground over others.
What makes the Steelers the Steelers is not the roster, it is the paid position of the Coach and the owner of a legal entity and a defined goal and purpose. Anonymous is none of that.
Anonymous is anyone. It could be a bunch of people protesting Wall Street today. Tomorrow a group could call themselves Anonymous and protest Westboro Baptist. The day after a group calling itself Anonymous might break into Sony's systems. They might be all the same people, some of the same people or none of the same people. Each group might be made of people that agree with the others or vehemently disagree. It is not a specific group of people, it is not eve a coherent group of people.
Anonymous has no leaders and lulzsec isn't Anonymous.
I think it is more accurate to say that Anonymous has a fluidity of leadership and followers. It is a bunch of factions that dynamically organize as members see fit.
I was really hoping that this article would provide a 'next steps' plan or similar for the users that the FBI obviously exploited. If they're openly admitting that they purposefully did this, that means that they're certainly considering legal action or more capture of data about these individuals.
The FBI was never going to ignore huge stockpiles of easily accessible child pornography on the deep web, and Hacker News was never going to believe that this wasn't about more than child pornography. Just another day.
Police "techniques" involve guns, tear gas, helicopters, etc. At any time the police could in theory fly to your house, launch tear gas into your windows, and shoot you in the head as you run out. And I don't know about you, but I'm not exactly worried about that happening to the point where I want to take guns, tear gas, and helicopters away from the police.
This is the FBI taking down criminals engaging in a clear criminal activity, and it is silly to implicitly compare it to the NSA fishing for terrorists. All the evidence gathered here will be presented in a court of law, all the techniques used will have to be approved by judges as in accordance with laws and the constitution or the gathered evidence will be thrown out. The suspect and any other future suspects will get a trial if they want. It will be out in the open.
If you are upset that the software you thought was secure and anonymous isn't as secure and anonymous as you thought, that isn't the FBI's fault.
I would actually quite like to take military grade weaponry, as you described, away from the police, or at least significantly scale it down. That level of armament is a sign of something dreadfully wrong with American society, and certainly not helpful towards fixing it.
IANAL, but I'd be surprised if the police was allowed to raid me, launch tear gas through my window and shoot me in the head. Even with a warrant. I'm not worried about this happening, because it doesn't. If it did, I'm sure it would blow up into a huge scandal.
I am worried about government agencies intercepting my traffic / communications because it does happen, it's really hard to find out unless you know what you're looking for, and they don't have a warrant on every American citizen that happens to get caught.
startpage serves you google results, anonymized. It's sort of like scroogle was, I suppose.
ddg, I think, does their own spidering and also serves bing and other results (but not google), but that's from dusty memory and it could be wrong or changed. ddg will however forward your request to google if you want, and you'll get a results page from google itself. In fact I use ddg as a front end for google when I want to use google.
Police having military weapons and vehicles is actually a huge problem, especially when they are punished with no more than a paid vacation for misusing them.
At any time the police could in theory fly to your house, launch tear gas into your windows, and shoot you in the head as you run out. And I don't know about you, but I'm not exactly worried about that happening to the point where I want to take guns, tear gas, and helicopters away from the police.
The FBI as every state organization is a position of power give by the state and it's citizen to protect them from illicit activities. All of them, not some of them.
When the FBI engages in unethical and illicit practice, it's like stating that rules do not apply for them. Given for granted that they are in a position of power a priori, it's hard for me to see how this is good thing and how accountability can be held.
Also you seem to be convinced that the judge and court will apply the rule of law to the FBI as they would have done with you and me.
It is unethical or illicit for me to tap someone's phone or install malware on their computer. That doesn't mean it's illicit or unethical for the FBI to do so. The whole point of having a state is to trust it with powers that individuals should not exercise on their own authority.
>I don't know about you, but I'm not exactly worried about that happening to the point where I want to take guns, tear gas, and helicopters away from the police.
If we were to learn that they found it to be acceptable practice to use these weapons indiscriminately on innocent people in their efforts to catch the bad guys, I might want to take away their guns, tear gas, and helicopters.
Horray. A new growth industry for the us-ians. We'll export prison sentences! Just in time too. I hear we're running low on minorities with dime-bags of pot to incarcerate.
> The apparent FBI-malware attack was first noticed on August 4, when all of the hidden service sites hosted by Freedom Hosting began displaying a “Down for Maintenance” message.
The underlining reason for this has been the notion that the FBI was attempting to catch people engaged in CP related activities...
This maybe a little tin-foil here, but...
If you deliver a 404-type of a page on all requests, no website is traversed, no CP is viewed, transferred, replicated, or distributed. Meaning there is nothing here to charge the person with.
Does this article get the facts wrong, or was the purpose of this exploit something entirely different. Because if the article is true (this exploit was only in "Down for Maintenance" pages, which were the only pages served), all they did was get a bunch of useless IP to MAC to host-name correlation/mapping data for that moment in time.
There is also the 'Fruit of a poisonous tree' argument here. Would this untargeted hacking even stand up in court if this data is used to prosecute someone?
This sounds more like flexing of the muscles - the FBI saying we can get you if we want to. Or something else was going on. It also seems like a waist of a good exploit that they would probably use towards terrorist or national security related issues (ex: if they knew the MAC or host-name of a bad guy using TOR that day, but did not know his IP / so they put this out).
The way Tor works is that anyone can set up something called a "hidden service". It's basically a website that can only be visited by using Tor.
These websites have a unique URL. For example, Bitcoin Fog's URL is http://fogcore5n3ov3tui.onion/ If you try to visit that using a standard web browser, it won't work. But if you use Tor browser, then it takes you to the Bitcoin Fog hidden service.
Some of those websites were devoted specifically to delivering CP. Now the FBI's reasoning goes like this: anyone who was visiting those websites were very likely visiting them for the purpose of looking at CP.
The FBI delivered an exploit designed to identify as many of those people as possible. So even though no CP was being served, people were still accessing the URL. The malware collected the MAC address and hostname of the computer, then submitted that info to an FBI server. So those people were apparently added to a centralized FBI database.
One way that database might be powerful is if e.g. a politician (or any other government worker) were was identified as a visitor of one of these websites, because whoever controls that database now controls them.
Yes, it's reasonable to think that their goal was to just inject the iframe and keep the pages running, but something went wrong and pages were pulled down to maintenance mode. This might also be what actually happened, but it wasn't noticed until after the maintenance pages were served and someone went looking at the source.
This is actually a pretty good attack. The only problem I see is the usefulness of the evidence that the attack gathers. Visiting an FBI warning over Tor isn't illegal, so appearing in some child-porn-user database because you were curious about how the exploit worked is a little disturbing, given the stigma child porn has.
I'd also like to see the legal theory they used to seize control of someone's computer. Did a judge sign off on this attack strategy?
But ultimately, I think they used some pretty good software engineering to solve a problem they wanted to solve.
It was reported the exploit was inserted on all Freedomhosting sites. Freedomhosting hosted far more than just child pornography, so just because someone got dinged by their exploit DOES NOT mean that they were perusing child pornography sites.
The effect is to dissuade CP traders. It's a warning shot, and it probably scared a lot of people off of Tor. I wonder what the effect on Silk Road has been.
wiretapping normally require a specific target, with a specific reason. Going after the tor email service, is like wiretapping the US postal service for a fishing expedition.
It sounds to me as being outside the FBI's legal wiretapping abilities.
First, you are implying that Tor has an official Tor e-mail service, which it does not. Tormail is/was just a basic e-mail service someone not associated with the Tor project was hosting on the deep web. For all anyone knows, Tormail itself could have been run by the FBI or NSA or whatever all along. Anyone who thought Tormail guaranteed them anonymity was a fool, much like anyone who kept Javascript enabled while browsing the deep web was a fool.
Second, Tormail wasn't itself targeted. What was targeted was the hosting provider that was hosting 95% of child pornography in the deep web, and that hosting provider also happened to host Tormail and a bunch of other non child pornography websites.
Conspiracy theories will abound, of course, but keep in mind that the NSA's MO is not to disrupt communication but to intercept it. If the government's real concern here was with Tormail, they would have simply kept it around and tapped it, since they had clearly compromised the hosting provider's boxes and could have done so. They wouldn't have shut it down and just sent people fleeing to the dozens of other supposedly anonymous and secure e-mail services out there, including ones that perhaps they haven't yet compromised.
> What was targeted was the hosting provider that was hosting 95% of child pornography in the deep web, and that hosting provider also happened to host Tormail and a bunch of other non child pornography websites.
What the government did was the equivalent of show up at the houses of everyone who used a particular post office and forcibly finger print them because that post office routed 95% of the child porn magazines in the US (regardless of what percentage of their traffic that actually was, which you don't even mention besides 'there were other sites, too').
That would be a clear abuse of powers, as is this.
This would make the FBI guilty of a whole bunch of felonies, would it not? (Independent of whether what they were doing is morally right or wrong, isn't this exactly what they imprison hackers for?)
you probably miss the point of a 2 caste system - one above the law and the other. USA has been significantly lagging (compare to many other countries) in development of such a system, yet it has made huge progress in that direction during the recent decade.
But if the government as an official approved sanctioned policy directs an employee to do an action (like, hack into Facebook's servers), good luck trying to get that employee arrested. The government may be doing illegal acts, but no one can be arrested over those since they are sanctioned by the two law making branches of government (executive and congress).
> "Mozilla confirmed the code exploited a critical memory management vulnerability in Firefox that was publicly reported on June 25, and is fixed in the latest version of the browser."
Will Rust help eliminate the problem of buffer overflows and other memory related hacks?
IIRC the original attack was a JS heap spray (using JavaScript Typed Arrays, no less), so not only would the browser have to be written in rust, but also the JavaScript engine which, AFAIK, isn't on Mozilla's roadmap (but I don't speak for them).
Uh, no. A heap spray is not an attack. It's a method of exploiting a vulnerability, but it's a) trivial to do and b) useless without said vuln. Also rewriting the JS engine in Rust doesn't change the ability to heap spray.
Which Rust should help with as well, as long as people don't use unsafe pointers too much.
Of course, this is assuming Rust and Servo ever gain enough traction to build a viable browser; they're still at an early enough stage to be vulnerable to the problems lots of young, ambitious projects have, of taking on too much at once to ever be done enough for production use, interest petering out and never quite getting to the point of something widely usable (like Perl 6).
What is happening to this world? The Government and it's so-called agencies vested with protecting America and its allies are treating everyone like criminals, privately harvesting our information via any means possible.
They don't even have to hide it any more. They can admit things like this and nobody can do anything about it. We've passed the point of being able to defend ourselves against actions like this. Every step we take to protect our privacy, the Government is presumably two-steps ahead.
Pff. That's like saying the government is spying on you because you saw a police officer look at you when you walked past a police car. Personally, I am just fine with the FBI harvesting the details of anyone who visits a CP site. So this puts strain on the network and causes loss of functionality for non-illegal uses of Tor - inconvenient, but then it's also inconvenient when you can't park because a police car, fire truck, or ambulance is taking up the space you hoped to park in. On a scale of 1 to 10, the harm suffered by non-criminal Tor users during this sting operation looks to me to be about a 1 or a 2.
From my point of view there appears to be a huge campaign to discredit Tor or short FUD going on.
Okay, lately there appears the be a huge campaign to discredit Tor going on. The botnet, the Freedom Hosting thing.
We should fight back on that. Tor is still the best took we have and maybe these attacks are the best sign of it.
If you consider switching to a VPN like many do..
That's a bad idea. VPNs are no technology for anonymity. There are various reasons. They don't defend against various attacks, but more importantly they are owned by private entities. Did you hear of this PRISM thing? [rhetoric question] Well, guess what a private company.. even outside of the US would do if any government would ask for a backdoor, maybe even offering money.
A reason why there are these great releases about attacks on Tor is the fact that it is the best tool we have. There are attacks on it, but way less than on any comparable technology. Numerous institutions, universities, etc. work on both finding attacks and improving Tor. The Tor community is attracting the smartest people in the world, just like the NSA is. There is no other anonymity software with so many scientific papers written about it. There are attacks, none of them reaching beyond what can be done to VPNs, etc. and there are tons of improvements that are outlined, that only need a tiny bit more research or only the actual implementation. If you want to work on a real quality product for the greater good there probably is no better place than the Tor Project.
If you wanna help right now (meaning in seconds to minutes) here are some places to go.
Flashproxy seems pretty dark unless I've misunderstood it - automatically opting website visitors in to becoming a transient TOR node is deeply unethical.
Looks like it's all out war between the government and people who value their privacy...
Really, it always was, but it was a sort of "undeclared war". Now there's really no question about what's going on, so it's time for the gloves to come off.
This is crazy, but really interesting at the same time. I always thought that this was the way to break anonymity on the Tor network.
FBI basically generated a shit-load of Tor nodes (https://blog.torproject.org/blog/how-to-handle-millions-new-...) for some while to increase their chances of intercepting traffic. Following the data collection and using statistic, they were able to pin-point the origin of most Freedom-hosting request/response, and then raided the place.
Think about it: if you own 9/10 of the node of the Tor network (and they did for a while) and simply analyze all the traffic, it's just a matter of time before you can find what you are looking for.
The second interesting thing is how they planned everything using the Firefox exploit to find out who was going on each Website. I'm pretty sure they got what they were looking for.
Even thought this is highly scary in term of government control, I think we can all learn a lot about it. Also, I'm wondering how much this attack cost.
The blog post you link to was about a recent massive increase in Tor clients, not Tor nodes.
From what I've read I was under the impression that Freedom Hosting itself was hacked to disclose its IP addresses, rather than the FBI taking over the Tor network.
You are confusing two things, one is the sudden increase in tor traffic you linked to, and which was possibly caused by a botnet which used tor as command & control network. The other is the attack on freedom host, which the FBI perpetrated. There the FBI injected a trojan into websites and could therefore deanonymyze users of the websites. So in that case tor did protect the malware as designed, but could not protect the anonymity of the user, because the local computer did made a connection over TCP/IP.
this is fantastic. now I know who I can sue for destroying the tormail accounts I was using for (legal) business purposes. Probably the best news I've had since Tormail went down.
In a proper judicial system any evidence gained resulting from infecting computers with malware by law enforcement would automatically be inadmissible because the owners of those computers were no longer the only ones with access.
If this is the only manner that the FBI --or any law enforcement for that matter-- has for identifying TOR users, then wouldn't the best operational security just be to firewall yourself off completely except for Tor connections? Better yet, you could monitor what applications are trying to broadcast out even if they are designed or intended not to leak. Isn't this what the TAILS live-CD does? For this case, even if your software was out of date and vulnerable to the initial attack on the browser, the attempt to broadcast out would hit a firewall and fail (and ideally be logged and alerted).
An easy way to prevent this sort of thing is to use two machines. Run Tor and privoxy on one of those machines and allow it to build its circuits and such. The second machine should be configured to use the privoxy instance as an HTTP proxy and should not have a default gateway configured.
(Also, on the first machine, you could use iptables to only permit outgoing traffic from the uid that Tor is running as and to drop everything else, just as an extra precaution.)
I think you will want to use a router that automatically tunnels everything leaving the local network through TOR. And then put in a permanent "everything read-only mode" by burning a fuse or something...
Can't trust the local machine to tunnel things correctly.
The attacker could just as easily made the connection out via Tor, but it might not have been as considered quite as strong for their evidence gathering process.
Another example, it sounds like one might have dodged this particular attack by using a browser other than the Firefox bundled in the TBB. But whether or not using a non-TBB browser gives you a net increase in security probably depends a lot on the user.
My two cents about the "french hosting provider" :
The 22 of july, the french hosting provider OVH suffered an APT attack from intruders looking for the database of european clients.
The 29 of july, OVH announce new rules about using Tor on their network...
In august Marques is arrested.
What do they do about users who do not turn on Javascript?
Or users who do not use the popular browsers?
It seems like the malware authors here, government employees or contractors, are just like all the others that form the underbelly of the internet... they only focus on the least sophisticated users or the users who always follow the herd (not the Hurd): Windows and OSX/iOS users.
This is about child pornography. I support this action by FBI for a change. The deep web is rotten in some respects. Child pornography cannot be allowed anywhere. If I were in the FBI, I would do anything to stop child abuse.
It's sad everyone on here is amazed the good guys have good tools. Sure it probably cost them $1M USD to have some server record an incoming ip from an http request, but still.
"Oh noes, we aren't 3 steps ahead of them, they are 3 steps ahead of us." Fuckin-a they are and I'm glad.
Getting rid of scumbag terrorists, child porn shitbirds and spying on foreign adversaries is fine by me.
And yes, I already know the comments will be "what if they designate you a terrorist some day". I suppose I will cross that bridge when that happens.
Nobody is amazed that the "good guys" (btw, whose good guys?) have good tools. It's been known for decades that the USA has some of the best signals intelligence people and systems.
But that's not even relevant here. This particular attack exploits a known issue of Tor, which has existed by design since day one. Hacking machines isn't rocket science, and the particular vulnerability in Firefox was public before the attack.
What people are surprised by is the brazen and open use of an illegal hack by law enforcement officials. We have laws for a reason and lawmen to uphold those laws. When the lawmen are breaking the laws we're pretty much fucked. I'm sorry that you can't see that.
The known issue of Tor that I refer to (and sorry for not being more specific) is that a buggy client can leak your identity. The Firefox exploit leverages this design weakness.
The FBI didn't conduct a 'mass malware attack' on the open web. It did, however, inject malicious code in Tor hidden services that were hosted in Freedom Hosting.
WTF? Can we even trust the water we get from the government? Maybe they put some meds in there to make us dumb and complaint. Is that too far fetched now after what we've reading?
>> Donahue also said Marque had been researching the possibility of moving his hosting, and his residence, to Russia.
Nice try FBI, but I have a feeling that Puttin's Russia will have him a gulag after a 5 minute "trial," appeal included.
Not just "once". Many conspiracy theorists still believe that it is some form of government plot or another. The theories range from it being a toxic waste disposal scheme that is poisoning people (and as far as I know, there is some basis for the claim that fluoridation came about as a way to cheaply get rid of a relatively toxic byproduct; that doesn't validate any other part of it though), to fluoride being used as a mind control chemical (usually pointing to drugs like Prozac that include fluoride as "evidence").
Of course, none of these "theories" manage to address the fact that there is fairly strong evidence that water fluoridation does in fact reduce tooth decay.
>Of course, none of these "theories" manage to address the fact that there is fairly strong evidence that water fluoridation does in fact reduce tooth decay.
Not agreeing with those theories, but this argument is flawed.
Even if it does "reduce tooth decay", so what, in the context of their argument? Who said a substance can't do two things at one time?
The number of compounds that have significant and useful mind altering properties, are tasteless in water at their effective doses, don't cause severe adverse reactions in any large segment of the population, even at uncontrolled doses, and which also naturally occur in some water supplies to begin with is tiny.
If you narrow that search down further by adding the constraint of a simple and easily explained health benefit that has since been repeatedly validated by science, you should expect to find approximately zero compounds.
To look at it another way, suppose that studies had been done on fluoridation and found no benefit in terms of tooth decay. That would certainly be evidence in favor of the conspiracy theories. It is always the case that if E is evidence of H, then ¬E is evidence of ¬H, so the fact that fluoridation prevents tooth decay must be at least weak evidence that the conspiracy theories are false. The argument above gives one reason that it is not particularly weak evidence.
One of the more sensible theories I've heard is that the fluoridation push happened at about the same time as the need to ramp-up uranium hexafluoride use for enrichment processes ... and that the sudden demand for fluoride could be masked by a civilian "decay prevention" program.
Read up on Sabu and the timeline of events between his initial arrest and the various Anonymous Operations. He's a narc, has admitted it and was very much involved in most of the operations. Coincidentally, most people in those operations were rolled on and his assistance has been used in their arrests/cases.
Check the timelines. Some of Lulzsec's most dramatic attacks were carried out with an FBI agent literally looking over Sabu's shoulder.
'Opdarknet' in particular seemed quite a bit different from the rest, in the MO (basically the same as the FBI used against Freedom Hosting) and the wording of their release.
Margaret come on now, that would be 233 hours of work if she was paid on a 1099. She still needs to pay tax and self-employment tax on all of that money. That said, I don't think 233 hours really counts as "just a few hours".
"Trust no one! Suspect EVERYTHING!", I can say today without sounding crazy.
Also, remember this? http://www.linuxfoundation.org/news-media/blogs/browse/2011/... ....hmm, I wonder if....