Cool story on your link about the Radio Moscow stuff--but the FBI finding him probably wasn't as hard as it would seem:
1. The letter was probably mailed from a relatively local (30 miles) post office.
2. At the time, there probably weren't a whole heck of a lot of Teletypes within 30 miles of his town. (I don't think that characteristic would have been obfuscated by the thermal copying--in fact, there may not have been many thermal copiers, either.)
3. Simple human interviewing probably led the FBI to the "troublemaker" type.
In other words, I don't think the FBI had to analyze the paper in the envelope, track the manufacturer, find out where the envelopes were sold, etc.
(This sounds like some pranks I've thought of, though mine aren't near as clever.)
Back on topic, the lessons learned would be:
1. Don't use your home machine in any way (compiling, copying, etc.).
2. Don't use a machine anywhere "near" you (geographically or organizationally), or at your school, or employer, or somewhere easily connected to you.
3. If you use a public terminal (direct analogy to the post office here), make sure it's more than 30 miles away:>.
Then there's just a chain of logs to follow--a subpoena of proxy n's logs yields the address of proxy n-1. The boundary condition at n=0 is the IP address of your machine, and the process server is at your door.
If I were inclined to distributed such software, I'd start with Usenet, via an anonymous remailer, via freedom.net specifying three offshore servers in different countries. And I still wouldn't feel really comfortable that I was anonymous.
First, there is no justice. You should have been modded up (+1, Funny).
The thing is, if Amex uses the same "bank number" (first four digits) as for their other cards, there won't be an easy way to filter these, like there is with WebCertificate that always uses the same bank number. (BTW, I've never run across or heard of a site filtering based on bank number--I would be interested in knowing of any.)
If more companies get in on the act, they aren't going to be able to tell if the card is good for recurrent billing unless that's made part of the authorization scheme. And other companies are getting in on it. I received an ad from AAA of all places offering "stored value" (a.k.a. disposable) Visa cards.
It's called SET (for Secure Electronic Transactions, and it's been around for around 20 years and was developed by the credit card industry. I guess the industry decided that fraud is cheaper than security.
The only reason I can see that they do it that way is this (I assume MS can afford the CPU for the encryption overhead):
If you're connecting to Hotmail through an anonymizing proxy, it (in most cases, see the now defunct lpwa proxy, for example) won't proxy SSL connections. So the unsuspecting "John Doe" sending an email message that irritates someone in any way may never know it was the "X-Sending-IP" or similar header, gained from that short SSL connection, that gave him away.
FCC regs require cell phones to be able to call 911 even when there is no service. (Naturally, cell phone service providers don't play this up in their advertising.) Therefore, you should be able to pick up a phone at a thrift store, etc. and use it to call 911.
The problem is how to empirically test this. The way I would do it is to carry it around, wait for a moron speeder weaving in and out of traffic, tailgating, and cutting people off (mean arrival time about 5 minutes around here), and use the phone to call 911 to turn in the moron's plate, location, and direction of travel. Once you've done that, you will know for sure it works, and maybe have gotten the aforementioned moron a well-deserved traffic ticket.
I have no problem at all with CDDB charging for their service, just as soon as they obtain all that track information using their own resources.
What they've done is no different (in principle--obviously, cataloging CD's is trivial in comparison) than an organization like the American Red Cross one day becoming a for-profit corporation and providing services for a fee, but keeping all the donated money and resources.
BTW, the argument that people with the "linux-mentality" won't pay for anything is lame and tired. You can do better.
CDDB is a perfect example of the disingenuous (but all too common) practice of taking work done (typing in track names) by many in a cooperative effort without permission (the work was given with the understanding that it would continue to be available free without condition), then closing it off for commercial gain. See also Deja (Usenet posts--older archive removed).
Are there safeguards to prevent FreeDB from doing the same thing some day? Had CDDB been required to pay authors some sum ($1?) for each CD cataloged, they likely would never have dared to choke this stuff off.
(As an aside, if I had written MediaJukebox, I'd randomize the client identifier or masquerade various "authorized" clients (just like changing the user agent field to avoid sites that discriminate based on browser (or block wget)) Then if cddb (now <puke>Gracenote</puke>) blocked MediaJukebox they'd have the people who paid (or tagreed to conditions or kowtowed in some way) them upset. Then they could sue, causing more publicity for FreeDB:>)
BTW, where's the RIAA? Surprised their panties aren't in a knot about lists of album names, titles, and track times being available for download. Or has Gracenote paid them off?
And you'll be doing those upgrades, updates, etc. for FREE--q.v. the Magnuson-Moss Warranty Act. Took care of cute things like automakers requiring dealer oil changes to keep car warranties in force, and directly applicable against what you describe.
at Compaq, E-machines, and other similar companies in this market, suits are likely preparing the inevitable memo to the webmasters that goes something like this:
Add NOT AVAILABLE IN PENNSYLVANIA to the bottom of the order pages.
Re:An interesting idea...
on
TigerCloning
·
· Score: 1
Especially when everyone knows that . ..
. . . wait for it . . .
cheetas never prosper!
Sorry--I had to do it--a chessy Lion King reference and bad pun all in one.
If this man really thinks that child molestation goes hand in hand with mp3 . ..
He doesn't really think that--it's even worse! He's knowingly trying to help spread the meme that only the worst kind of perverts criminals use peer to peer file sharing.
People who say copyright infringement is theft are the ones who are "redefining theft." Copyright infringement != theft. So stop all the bullshit about theft and this and that, at least be honest with yourself.
And if someone must buy wanking material because the stuff available free on Usenet just isn't hard core enough, he (or she) should consider buying a Webcertificate. It's a MasterCard number based gift certificate, that also would work nicely as a throwaway credit card number. For $10 (plus a $2.95 service fee), someone could sign up with 10 "Adult Verification Services" in one day, the Webcertificate would be out of money, and no further charges could be made to it. Send the Webcertificate to a throwaway email address for a small degree of anonymity (certainly better than using one's own card). Time to see more? Just get a new Webcertificate. No troubles, except for possibly going blind or insane.
Polluting the database is good, but polluting it with plausible data is better. It's pretty easy for a "value added" "content" provider to pass all the non U.S. or Canadian registrations by a clerk to purge the Mr. Get Bents and U. R. Snoopings from Angola and Zimbabwe. It becomes intractable when numerous persons use made up but realistic names, valid but incorrect addresses, and a phone numbers that doesn't start with 555. (Hell, if you're feeling altruistic, give them real demographic data with the fake name--since many site operators claim to only use aggregate data, they don't need a real name for it to be useful, right?)
Until the day Equifax or somesuch lets these people hit their database on the cheap, bogus but realistic sounding data is the way to fight the erosion of privacy by sites requiring registration (e.g. NY Times) to see content.
(The closest I ever saw to the database match scenario was Netscape's old ITAR compliance page for 128 bit versions of their browser. It would check some commercial database for name verification. It did some simple edits, and that database is most likely polluted with lots of plausible data--otherwise, people giving fake data wouldn't have been able to grab the browser. I think Netscape gave up on this well before export standards were relaxed.)
I don't see how that's a problem. If they blackhole networks like Telstra, that happily host web sites advertised by spam (so long as you don't abuse their servers to send it), more power to MAPS for such a policy.
If an ISP isn't against spam, it's for it, and should pay the price.
Nevertheless, the idea that bookstores and libraries even can keep track of what books you're checked out or bought and that they are required to give up that information to anyone who shows them a badge is quite chilling.
I also like the way ballotting works now, both for anonymity (at least until "they" start analyzing DNA fragments on the ballot and comparing to the inevitable national DNA database) and for the fact that people have to go to some effort to cast a vote.
It is not good for people who aren't willing to get out from in front of their tube to be able to cast a vote with a click of a button. Once people who don't care enough to make the effort to vote now start voting, we might just as well write off the republic. We'll have election results changing in realtime as new age demagogues pander on live TV (with an AOL simulcast) to empirically obtain the most votes.
Slashdot Mirror
Cool story on your link about the Radio Moscow stuff--but the FBI finding him probably wasn't as hard as it would seem:
:>.
1. The letter was probably mailed from a relatively local (30 miles) post office.
2. At the time, there probably weren't a whole heck of a lot of Teletypes within 30 miles of his town. (I don't think that characteristic would have been obfuscated by the thermal copying--in fact, there may not have been many thermal copiers, either.)
3. Simple human interviewing probably led the FBI to the "troublemaker" type.
In other words, I don't think the FBI had to analyze the paper in the envelope, track the manufacturer, find out where the envelopes were sold, etc.
(This sounds like some pranks I've thought of, though mine aren't near as clever.)
Back on topic, the lessons learned would be:
1. Don't use your home machine in any way (compiling, copying, etc.).
2. Don't use a machine anywhere "near" you (geographically or organizationally), or at your school, or employer, or somewhere easily connected to you.
3. If you use a public terminal (direct analogy to the post office here), make sure it's more than 30 miles away
I thought for sure that link was going to point to Microsoft :>.
Then there's just a chain of logs to follow--a subpoena of proxy n's logs yields the address of proxy n-1. The boundary condition at n=0 is the IP address of your machine, and the process server is at your door.
If I were inclined to distributed such software, I'd start with Usenet, via an anonymous remailer, via freedom.net specifying three offshore servers in different countries. And I still wouldn't feel really comfortable that I was anonymous.
First, there is no justice. You should have been modded up (+1, Funny).
The thing is, if Amex uses the same "bank number" (first four digits) as for their other cards, there won't be an easy way to filter these, like there is with WebCertificate that always uses the same bank number. (BTW, I've never run across or heard of a site filtering based on bank number--I would be interested in knowing of any.)
If more companies get in on the act, they aren't going to be able to tell if the card is good for recurrent billing unless that's made part of the authorization scheme. And other companies are getting in on it. I received an ad from AAA of all places offering "stored value" (a.k.a. disposable) Visa cards.
It's called SET (for Secure Electronic Transactions, and it's been around for around 20 years and was developed by the credit card industry. I guess the industry decided that fraud is cheaper than security.
The only reason I can see that they do it that way is this (I assume MS can afford the CPU for the encryption overhead):
If you're connecting to Hotmail through an anonymizing proxy, it (in most cases, see the now defunct lpwa proxy, for example) won't proxy SSL connections. So the unsuspecting "John Doe" sending an email message that irritates someone in any way may never know it was the "X-Sending-IP" or similar header, gained from that short SSL connection, that gave him away.
FCC regs require cell phones to be able to call 911 even when there is no service. (Naturally, cell phone service providers don't play this up in their advertising.) Therefore, you should be able to pick up a phone at a thrift store, etc. and use it to call 911.
The problem is how to empirically test this. The way I would do it is to carry it around, wait for a moron speeder weaving in and out of traffic, tailgating, and cutting people off (mean arrival time about 5 minutes around here), and use the phone to call 911 to turn in the moron's plate, location, and direction of travel. Once you've done that, you will know for sure it works, and maybe have gotten the aforementioned moron a well-deserved traffic ticket.
That is probably the worst analogy I've ever heard.
Translation:I have no effective counterargument to this point.
I have no problem at all with CDDB charging for their service, just as soon as they obtain all that track information using their own resources.
What they've done is no different (in principle--obviously, cataloging CD's is trivial in comparison) than an organization like the American Red Cross one day becoming a for-profit corporation and providing services for a fee, but keeping all the donated money and resources.
BTW, the argument that people with the "linux-mentality" won't pay for anything is lame and tired. You can do better.
CDDB is a perfect example of the disingenuous (but all too common) practice of taking work done (typing in track names) by many in a cooperative effort without permission (the work was given with the understanding that it would continue to be available free without condition), then closing it off for commercial gain. See also Deja (Usenet posts--older archive removed).
:>)
Are there safeguards to prevent FreeDB from doing the same thing some day? Had CDDB been required to pay authors some sum ($1?) for each CD cataloged, they likely would never have dared to choke this stuff off.
(As an aside, if I had written MediaJukebox, I'd randomize the client identifier or masquerade various "authorized" clients (just like changing the user agent field to avoid sites that discriminate based on browser (or block wget)) Then if cddb (now <puke>Gracenote</puke>) blocked MediaJukebox they'd have the people who paid (or tagreed to conditions or kowtowed in some way) them upset. Then they could sue, causing more publicity for FreeDB
BTW, where's the RIAA? Surprised their panties aren't in a knot about lists of album names, titles, and track times being available for download. Or has Gracenote paid them off?
And you'll be doing those upgrades, updates, etc. for FREE--q.v. the Magnuson-Moss Warranty Act. Took care of cute things like automakers requiring dealer oil changes to keep car warranties in force, and directly applicable against what you describe.
If CompUSA's better than average, Pennsylvania NEEDS this law.
at Compaq, E-machines, and other similar companies in this market, suits are likely preparing the inevitable memo to the webmasters that goes something like this:
Add NOT AVAILABLE IN PENNSYLVANIA to the bottom of the order pages.
Especially when everyone knows that . . .
. . . wait for it . . .
cheetas never prosper!
Sorry--I had to do it--a chessy Lion King reference and bad pun all in one.
Prepare to meet a Gorfian doom, Spaaaaace Ca-det!
If this man really thinks that child molestation goes hand in hand with mp3 . . .
He doesn't really think that--it's even worse! He's knowingly trying to help spread the meme that only the worst kind of perverts criminals use peer to peer file sharing.
Look who's talking.
People who say copyright infringement is theft are the ones who are "redefining theft." Copyright infringement != theft. So stop all the bullshit about theft and this and that, at least be honest with yourself.
Is this actually specific to American Express, or is that just an example?
Thanks!
And if someone must buy wanking material because the stuff available free on Usenet just isn't hard core enough, he (or she) should consider buying a Webcertificate. It's a MasterCard number based gift certificate, that also would work nicely as a throwaway credit card number. For $10 (plus a $2.95 service fee), someone could sign up with 10 "Adult Verification Services" in one day, the Webcertificate would be out of money, and no further charges could be made to it. Send the Webcertificate to a throwaway email address for a small degree of anonymity (certainly better than using one's own card). Time to see more? Just get a new Webcertificate. No troubles, except for possibly going blind or insane.
Until the day Equifax or somesuch lets these people hit their database on the cheap, bogus but realistic sounding data is the way to fight the erosion of privacy by sites requiring registration (e.g. NY Times) to see content.
(The closest I ever saw to the database match scenario was Netscape's old ITAR compliance page for 128 bit versions of their browser. It would check some commercial database for name verification. It did some simple edits, and that database is most likely polluted with lots of plausible data--otherwise, people giving fake data wouldn't have been able to grab the browser. I think Netscape gave up on this well before export standards were relaxed.)
I don't see how that's a problem. If they blackhole networks like Telstra, that happily host web sites advertised by spam (so long as you don't abuse their servers to send it), more power to MAPS for such a policy.
If an ISP isn't against spam, it's for it, and should pay the price.
TOP SECRET CARNIVORE
G |Klinton|bomb|Ryder|Waco|Ruby|Ryder) >
/home/freeh/suspicious.txt
(U) Artificial Intelligence email filtering algorithm:
(TS) cat email.txt | grep (gnutella|napster|31337|pr0n|hax0r|PGP|Freenet|GP
TOP SECRET CARNIVORE
Classifing authority DOJ. Declassify on OADR.
Nevertheless, the idea that bookstores and libraries even can keep track of what books you're checked out or bought and that they are required to give up that information to anyone who shows them a badge is quite chilling.
I also like the way ballotting works now, both for anonymity (at least until "they" start analyzing DNA fragments on the ballot and comparing to the inevitable national DNA database) and for the fact that people have to go to some effort to cast a vote.
It is not good for people who aren't willing to get out from in front of their tube to be able to cast a vote with a click of a button. Once people who don't care enough to make the effort to vote now start voting, we might just as well write off the republic. We'll have election results changing in realtime as new age demagogues pander on live TV (with an AOL simulcast) to empirically obtain the most votes.