They did do some mistakes though. Such as throwing those phones into the trash, where they were later found by police, complete with messages and call logs, pointing to their hideout in Saint Denis...
And some of them are cowards, discarding their explosive belt, rather than using it...
That's basically the rule that France (and various neighbouring countries) put into place since the attacks. You now need to show government issued id to buy a prepaid card. Previously sold cards must be registered now, or will be deactivated.
Only if by "economic beneficiary" you mean a single Bitcoin address, and not an actual person.
"economic beneficiary" is bank-speak for "person who really is behind a given account" (rather than the straw man or shell company's officer who showed up at the branch to open the account).
Reusing addresses is, of course, already considered poor security practice.
But people do make errors. Especially when trying to operate for a continued period of time.
If your pseudonymous identity is only attached to a single transaction, you might as well be anonymous. There is no real difference between "ephemeral identity used exactly once" and "no identity".
Except of course, that this ephemeral identity is used at least twice. Indeed, before being able to spend money from a wallet, you must first put money into that wallet, and there's your second transaction. Done from another wallet, which also had at least 2 transactions. Following the trail, eventually you get to a wallet having done much more than 2 transactions, and from there you can draw conclusions...
(Ok, theoretically you could spend the proceeds of mining, but I somehow doubt that many potheads buying from the silk road are miners...)
Because the distinction between anonymous and psuedonymous is a meaningless distinction that gets trotted out
If you don't understand these words, they are indeed meaningless to you, but that doesn't mean they're meaningless for everybody.
Anonymous: no identity whatsoever attached to a transaction => they are fully untraceable
Pseudonymous: an "identity" is attached to the transaction, but this "identity" is not the real name of the person. However, this identity allows to see (given some amount of effort) which transactions belong together and were executed for the same "economic beneficiary". And if even one of these transactions leads to the "economic beneficiary's address or civil name, then his civil name can be attached to all of them.
What was the name of this CMS and who originally installed it?
Don't expect such info from this article, if you find gems such as the following:
Fortunately, the hacker wasn't that skilled. Verizon says that the attacker used a Web shell that didn't support SSL, meaning that all executed commands were recorded in the Web server's log.
A newspaper that isn't skilled enough to know the difference between SSL and POST (if that's what they meant...) certainly wouldn't know the difference between Joomla, Drupal or Wordpress either.
In French, "hackers/crackers" are called "pirates" (not just those that copy movies, but those that hack into servers. And that word was already used in the nineties). Quite appropriate word in this case...
There is one slight technical advantage. For a domain-validated certificate, the intruder can obtain a fake certificate if he can hijack (even temporarily) all connections from the target web server to the internet, or if he can hijack (even temporarily) the target domain's DNS. Indeed, that way, he may be able to intercept any mails, DNS or web requests that the CA might send to the victim server, and be granted the certificate.
For EV, the intruder would additionally need to supply (or forge) some paperwork "proving" he is the legitimate owner of the target domain, which slightly raises the bar.
There might be a customer advantage if they even knew what an EV cert was, but they don't, and if you try to explain it to them, they don't care.
Consider yourself happy if they even knew what an kind of cert was, and why it is a horribly bad idea to summarily dismiss warnings about bad or mismatched certificates...
Honest question though-- can extended validation be spoofed by MITM?
It depends on the security of the certification agencies' procedures, and on any vulnerabilities that might be present in the user's browsers.
If the user's browser happens to still trust Diginotar, then yes, even extended validation can be spoofed by the MITM
But joking aside, extended validation protects against some types of attacks against the CA or the website you want to visit, so if the MITM used any of those vulnerabilities to get his fake cert, then extended validation is slightly more secure. However, if the attacker relied on other security holes, then there is no difference.
See, if someone controls the network, they can also trivially do a man in the middle attack. Just like all the other crap.
Most browsers will pop up a warning if somebody attempts a man-in-the-middle-attack with SSL. So, as long as the user is sufficiently educated to heed that warning, he should be ok. But then a sufficiently educated user would not run a browser or OS vulnerable to "drive-by downloads" either...
so what could they have possibly gained by this devious man in the middle circus
Maybe they were hoping that you were a Windows weenie who'd compulsively click away any dialog that appeared, even though this this time it happened to be a warning about a mismatched certificate? In which case you would be the clown in that circus...
Good point. Whereas with Wifi, you'll be able to do the suing yourself. Indeed, the worst that could happen with free Wifi is that your weird orange-haired-wankpuffin fetish comes to light, but there's no danger to life-and-limb.
Once you're on the plane, you at least know where the pilot and co-pilot are most of the time.
You might know where they are, but you don't know where they should be. Namely in sick-leave...
and you absolutely won't like the Trojan they leave behind after the full cavity search.
A wage is supposed to cover the above items PLUS RENT.
The above items did include "living inside shelter..."
place that would allow her to get to work by Muni or BART
I'm not sure about the SF area, but in lots of other places in the world, prices tend to go up once there is easy access to public transportation (and also if there's easy access to a freeway).
So the only alternative would indeed be a rather time-consuming commute... Meaning that it's work-commute-bed. Without any time for any kind of leisure. But is that a life she'd like to live? We work to live, not the other way round.
fetish for living in the cities
Urm, maybe she lived in a big city, because that's where the F*ING job is... And it's entirely Yelp's choice to chose to establish itself in SF...
But they don't need him to unlock it, so they won't ask.
If they don't need him to unlock it, they don't need Apple either to unlock it. And they can't admit that because thne they wouldn't be allowed to force Apple to unlock it.
So they must at least make a token effort to prove that McAfee can't unlock the phone.
Nope, at some point in time, they'll have to argue that before a court of law. Indeed, if McAfee volunteers to crack the phone, this means that it would not be necessary to force Apple to do it. So the court would need to actually show that either McAfee is indeed incapable of doing what he claims, or that there's a real risk that he'd taint the evidence.
(a) The Supreme Court and all courts established by Act of Congress may issue all writs necessary or appropriate in aid of their respective jurisdictions and agreeable to the usages and principles of law.
According to one legal analyst, the FBI and NSA already have this capability.
Wouldn't this statement make him more of a technical analyst, rather than a legal one?
What the government is looking for in this court case is a legal precedent to force companies to do this for them and make the data recovery admissible in court.
Funny thing is, they're relying on the All Writs act to do compel Apple to do this. However, (at least according to that Wikipedia article), application of All Writs requires the fulfilment of 4 conditions, including "The absence of alternative remedies". If they've got the capability to do it themselves, there's your alternative remedy. The legal analyst should be concerned:-)
("(a) The Supreme Court and all courts established by Act of Congress may issue all writs necessary or appropriate in aid of their respective jurisdictions and agreeable to the usages and principles of law.")
It's really only a matter of time before political enemies start throwing this around and we see random (read: republican) politicians eliminated. cf. Circle, The.
In Luxembourg this is already happening now. We had this "bomb layer" affair 30 years ago, where it quickly turned out that some state actors must have been involved (police looking for an excuse for more funding? NATO "stay behind" group gone wild? who knows). So, the inquiry back then quickly stalled and was shelved.
For the 20th anniversary, a radio station was doing a "flashback" about the events, this caused old witnesses to come forward again, and somehow kicked justice back into action, the file was re-opened. And low, and behold, some of these witnesses were being intimidated with bogus child pornography accusations. Of course, the judge in the "bomb layer" trial saw through this, and the witness did not actually get into serious trouble from these accusations.
Roughly at the same time, a building contractor proposed a project to construct a huge football field plus mall in an environmentally protected zone. Lots of corruption money flowed to get the environmentally protected status of said zone lifted, to get bank credits at better conditions, etc. To bolster his influence, the building contractor even sponsored a national cycling team to run at the Tour the France. His guys were good for a couple of years. Of course, there were still people concerned about nature who opposed his project, and these people created citizen's initiatives against it, and asked pointed questions during meetings. And despite all the influence of the buidling-contractor-who-became-Tour-de-France-sponsor, the citizens did manage to derail the project!
Unfortunately, revenge was on its way. While being active in cycling sponsorship, the building contractor met interesting people, including that judge who was also a member of the board of Tour du Luxembourg. And hop, they just nailed one of the citizen's initiative people for child pornography, causing him a great amount of anguish and forcing him to retire 6 months earlier than planned. Eventually he managed to get all penalties overturned on appeal, but he did pass a couple of miserable years until then.
O, btw, did I mention that the judge was the same in both cases (bomb layer, and building contractor critic)? Funny how she can play both sides without blinking an eye...
My coworker noticed a series of unusual file names — "xxxxx_xxxx_xxxxx.jpg" — during the transfer process that prompted his curiosity and the child pornography collection was found.
You know that some Slashdot readers will be foolish enough to not resist their curiosity, and google for that. And possibly a small percentage of those will be unlucky enough that it will come to the police's or whoever's attention. Hopefully, they will remember during their trial to cite where they got that file name from, so that you too can get a taste of what it's like to be on the receiving end of "I was just following procedure".
Slashdot Mirror
And some of them are cowards, discarding their explosive belt, rather than using it...
That's basically the rule that France (and various neighbouring countries) put into place since the attacks. You now need to show government issued id to buy a prepaid card. Previously sold cards must be registered now, or will be deactivated.
Only if by "economic beneficiary" you mean a single Bitcoin address, and not an actual person.
"economic beneficiary" is bank-speak for "person who really is behind a given account" (rather than the straw man or shell company's officer who showed up at the branch to open the account).
Reusing addresses is, of course, already considered poor security practice.
But people do make errors. Especially when trying to operate for a continued period of time.
If your pseudonymous identity is only attached to a single transaction, you might as well be anonymous. There is no real difference between "ephemeral identity used exactly once" and "no identity".
Except of course, that this ephemeral identity is used at least twice. Indeed, before being able to spend money from a wallet, you must first put money into that wallet, and there's your second transaction. Done from another wallet, which also had at least 2 transactions. Following the trail, eventually you get to a wallet having done much more than 2 transactions, and from there you can draw conclusions...
(Ok, theoretically you could spend the proceeds of mining, but I somehow doubt that many potheads buying from the silk road are miners...)
Because the distinction between anonymous and psuedonymous is a meaningless distinction that gets trotted out
If you don't understand these words, they are indeed meaningless to you, but that doesn't mean they're meaningless for everybody.
Anonymous: no identity whatsoever attached to a transaction => they are fully untraceable
Pseudonymous: an "identity" is attached to the transaction, but this "identity" is not the real name of the person. However, this identity allows to see (given some amount of effort) which transactions belong together and were executed for the same "economic beneficiary". And if even one of these transactions leads to the "economic beneficiary's address or civil name, then his civil name can be attached to all of them.
And (at least at the Iowa Democratic party caucuses), given sufficient resolution, they also know how you voted.
That sounds like a lot of work. Haven't these pirates heard of torrents?
Have you heard of any big ships with valuable cargo that travel on torrents?
What was the name of this CMS and who originally installed it?
Don't expect such info from this article, if you find gems such as the following:
Fortunately, the hacker wasn't that skilled. Verizon says that the attacker used a Web shell that didn't support SSL, meaning that all executed commands were recorded in the Web server's log.
A newspaper that isn't skilled enough to know the difference between SSL and POST (if that's what they meant...) certainly wouldn't know the difference between Joomla, Drupal or Wordpress either.
In French, "hackers/crackers" are called "pirates" (not just those that copy movies, but those that hack into servers. And that word was already used in the nineties). Quite appropriate word in this case...
There's no technical security advantage, at all.
There is one slight technical advantage. For a domain-validated certificate, the intruder can obtain a fake certificate if he can hijack (even temporarily) all connections from the target web server to the internet, or if he can hijack (even temporarily) the target domain's DNS. Indeed, that way, he may be able to intercept any mails, DNS or web requests that the CA might send to the victim server, and be granted the certificate.
For EV, the intruder would additionally need to supply (or forge) some paperwork "proving" he is the legitimate owner of the target domain, which slightly raises the bar.
There might be a customer advantage if they even knew what an EV cert was, but they don't, and if you try to explain it to them, they don't care.
Consider yourself happy if they even knew what an kind of cert was, and why it is a horribly bad idea to summarily dismiss warnings about bad or mismatched certificates...
Honest question though-- can extended validation be spoofed by MITM?
It depends on the security of the certification agencies' procedures, and on any vulnerabilities that might be present in the user's browsers. If the user's browser happens to still trust Diginotar, then yes, even extended validation can be spoofed by the MITM
But joking aside, extended validation protects against some types of attacks against the CA or the website you want to visit, so if the MITM used any of those vulnerabilities to get his fake cert, then extended validation is slightly more secure. However, if the attacker relied on other security holes, then there is no difference.
See, if someone controls the network, they can also trivially do a man in the middle attack. Just like all the other crap.
Most browsers will pop up a warning if somebody attempts a man-in-the-middle-attack with SSL. So, as long as the user is sufficiently educated to heed that warning, he should be ok. But then a sufficiently educated user would not run a browser or OS vulnerable to "drive-by downloads" either...
So, user education is still needed, even if everybody switches to SSL.
so what could they have possibly gained by this devious man in the middle circus
Maybe they were hoping that you were a Windows weenie who'd compulsively click away any dialog that appeared, even though this this time it happened to be a warning about a mismatched certificate? In which case you would be the clown in that circus...
can be sued (maybe by your next-of-kin)
Good point. Whereas with Wifi, you'll be able to do the suing yourself. Indeed, the worst that could happen with free Wifi is that your weird orange-haired-wankpuffin fetish comes to light, but there's no danger to life-and-limb.
Once you're on the plane, you at least know where the pilot and co-pilot are most of the time.
You might know where they are, but you don't know where they should be. Namely in sick-leave...
and you absolutely won't like the Trojan they leave behind after the full cavity search.
That's not a trojan, that's a femidom!
A wage is supposed to cover the above items PLUS RENT.
The above items did include "living inside shelter..."
place that would allow her to get to work by Muni or BART
I'm not sure about the SF area, but in lots of other places in the world, prices tend to go up once there is easy access to public transportation (and also if there's easy access to a freeway).
So the only alternative would indeed be a rather time-consuming commute... Meaning that it's work-commute-bed. Without any time for any kind of leisure. But is that a life she'd like to live? We work to live, not the other way round.
fetish for living in the cities
Urm, maybe she lived in a big city, because that's where the F*ING job is... And it's entirely Yelp's choice to chose to establish itself in SF...
Wow - it's amazing the FBI didn't think of that.
... or they're just perjuring themselves saying they didn't think of that. And actually have other goals than just cracking that specific phone.
But they don't need him to unlock it, so they won't ask.
If they don't need him to unlock it, they don't need Apple either to unlock it. And they can't admit that because thne they wouldn't be allowed to force Apple to unlock it.
So they must at least make a token effort to prove that McAfee can't unlock the phone.
and it doesn't even have to say it officially,
Nope, at some point in time, they'll have to argue that before a court of law. Indeed, if McAfee volunteers to crack the phone, this means that it would not be necessary to force Apple to do it. So the court would need to actually show that either McAfee is indeed incapable of doing what he claims, or that there's a real risk that he'd taint the evidence.
(a) The Supreme Court and all courts established by Act of Congress may issue all writs necessary or appropriate in aid of their respective jurisdictions and agreeable to the usages and principles of law.
According to one legal analyst, the FBI and NSA already have this capability.
Wouldn't this statement make him more of a technical analyst, rather than a legal one?
What the government is looking for in this court case is a legal precedent to force companies to do this for them and make the data recovery admissible in court.
Funny thing is, they're relying on the All Writs act to do compel Apple to do this. However, (at least according to that Wikipedia article), application of All Writs requires the fulfilment of 4 conditions, including "The absence of alternative remedies". If they've got the capability to do it themselves, there's your alternative remedy. The legal analyst should be concerned :-)
("(a) The Supreme Court and all courts established by Act of Congress may issue all writs necessary or appropriate in aid of their respective jurisdictions and agreeable to the usages and principles of law.")
It's really only a matter of time before political enemies start throwing this around and we see random (read: republican) politicians eliminated. cf. Circle, The.
In Luxembourg this is already happening now. We had this "bomb layer" affair 30 years ago, where it quickly turned out that some state actors must have been involved (police looking for an excuse for more funding? NATO "stay behind" group gone wild? who knows). So, the inquiry back then quickly stalled and was shelved.
For the 20th anniversary, a radio station was doing a "flashback" about the events, this caused old witnesses to come forward again, and somehow kicked justice back into action, the file was re-opened. And low, and behold, some of these witnesses were being intimidated with bogus child pornography accusations. Of course, the judge in the "bomb layer" trial saw through this, and the witness did not actually get into serious trouble from these accusations.
Roughly at the same time, a building contractor proposed a project to construct a huge football field plus mall in an environmentally protected zone. Lots of corruption money flowed to get the environmentally protected status of said zone lifted, to get bank credits at better conditions, etc. To bolster his influence, the building contractor even sponsored a national cycling team to run at the Tour the France. His guys were good for a couple of years. Of course, there were still people concerned about nature who opposed his project, and these people created citizen's initiatives against it, and asked pointed questions during meetings. And despite all the influence of the buidling-contractor-who-became-Tour-de-France-sponsor, the citizens did manage to derail the project!
Unfortunately, revenge was on its way. While being active in cycling sponsorship, the building contractor met interesting people, including that judge who was also a member of the board of Tour du Luxembourg. And hop, they just nailed one of the citizen's initiative people for child pornography, causing him a great amount of anguish and forcing him to retire 6 months earlier than planned. Eventually he managed to get all penalties overturned on appeal, but he did pass a couple of miserable years until then.
O, btw, did I mention that the judge was the same in both cases (bomb layer, and building contractor critic)? Funny how she can play both sides without blinking an eye...
Like just being a doctor?
In which jurisdiction exactly is malpractice leading to death considered the same as deliberate murder? Yeah, thought so...
My coworker noticed a series of unusual file names — "xxxxx_xxxx_xxxxx.jpg" — during the transfer process that prompted his curiosity and the child pornography collection was found.
You know that some Slashdot readers will be foolish enough to not resist their curiosity, and google for that. And possibly a small percentage of those will be unlucky enough that it will come to the police's or whoever's attention. Hopefully, they will remember during their trial to cite where they got that file name from, so that you too can get a taste of what it's like to be on the receiving end of "I was just following procedure".
Which is why the appeals court exists.
Fortunately. Even though, at that stage, the damage to the victim's reputation will already have been done.
We all know the system isn't perfect, and it's easy to knock the odd case that misses, but I can't see how not reporting crime improves this system?
If the crime is just "being a computer professional", then yes, best is to not give in to the madness.
In Italy?
You know, in Salem there where witchcraft trials too...
In 1716?
Well, many consider those laws to be retarded for a reason...
Because that's relevant to this discussion...
Very relevant, indeed. Think about it.
What happens in a courtroom and what gets reported are usually two vastly different things.
And sometimes, you get the occasion to go and watch such a trial first hand, and you see that the reality is actually much worse.