If the RIAA can make absurd demands, why not this guy? Why should corporations have an exclusive right to abuse our nation's courts?
In all seriousness, this whole situation is ridiculous. If this guy is not willing to hand his 9 year old a credit card, why is he willing to hand her a phone that can make charges to his credit card? I am no apologist for Apple, but I am not seeing how Apple is at fault here. This is like claiming that somehow, if a 9 year old is given a credit card and allowed to do whatever she wants in MacDonalds, it is MacDonalds' fault if the child runs up a huge bill.
Now, if this guy could show that Apple had tried to market a version of the iPhone for children, without making it clear that that particular version of the iPhone could be used to make charges to the parents' credit card without first requiring the permission of the parents, he might have a case. Except that is not what happened here.
He is saying that some people say that "hacker" only refers to people who like to illegally break computer security systems, by referring to 2600, a hacker group known for that sort of thing. I say that anyone who is curious can read 2600 magazine and see that while there are a lot of articles about breaking security systems, there are other articles that are within the scope of the old school meaning of the word "hacker."
If you actually read 2600 magazine, the scope of the articles fits in with the typical definition of a hacker: someone who likes to tinker with computers and other electronics. There is something of a bias toward computer security, but I have also seen articles about undocumented functions of electronics, technical information about various networking equipment, and so forth.
Hollywood, on the other hand, turned "hacker" into a code word for "computer criminal." No surprises there, given that Hollywood's view of computing is basically the antithesis of what the old school hackers had in mind. Hollywood thinks that computers should only be programmed by licensed professionals, who can be held accountable for the software they write (e.g. deCSS). In Hollywood's view of the world, if you buy a computer that has been programmed to stop you from running your own software (e.g. an iPhone, a PS3, etc.), then defeating those restrictions is criminal behavior -- and they got that codified in the law with the DMCA.
In some sense, I am a ham because of the Internet. I like participating in a global communication system that is operated by its own users. It is unfortunate that there are so many laws standing in the way of ARS being used in lieu of 3G/4G (the most prominent being the ban on encrypted transmissions).
TSA agents are doing their job. Being a dick to them and making their life suck (even more) just makes it worse for everyone.
Maybe if enough people were "dicks" to the TSA, the agency would not be able to hire people for "enhanced pat-downs," or they would be forced to pay such high salaries that their budget would prevent them from running the program. The willingness of TSA employees to do what they are told is what makes the scope-n-grope program possible.
I bet there are plenty of criminals who feed their families with the money they make from their crimes. Yet somehow, that does not absolve them of responsibility for their actions. Why should the TSA workers, who are being paid to sexually assault members of the public, be treated any different? Nobody signs up to work for the TSA without knowing what that agency does.
His answer to the TSA pat-down? He starts acting like he's getting off on it and then hits on the TSA agent (male or female) at the end of it.
Funny, I would have thought that the best way to mess with them would be to demand that they cite the law that gives them the authority to sexually abu^W^Wforcibly pat-down members of the public.
Do you really think that letting the enemy decide these things is a good idea? The voters are the enemy according to the US government, in case you have not noticed.
The goal of libertarianism is to whittle down the power of the government, without which these corporations would have no lever to enforce their appalling designs.
So who do you think is going to take over the various services that are currently provided by the government, which people are not going to just part with? The very corporations whose power you think libertarianism will reduce. Do you really think that those corporations are going to have the best interests of the people in mind when they develop "industry standard" practices for disposing of toxic waste? Do you really think that corporations that do not have to go through the government, and can just do what they want, somehow have less power? Do corporations protect your privacy?
When it comes to the government, you are at least in a position to vote. You have little say over corporations; you can only vote if you buy the right to do so, and of course, rich people can buy a more significant vote. That is a fine way to govern a business, but a terrible way to give people access to a decent education, public transit to get to work, and so forth. Libertarianism is not utopia, it is just a shortcut to plutocracy.
The differences in latencies in the nodes will make your data useless
So there is a limit on the bitrate of my covert channel, since this extra noise will be introduced. That is not such a problem, it just means that I will ultimately need to collect a lot of data (hence a "large file").
The timing corrolation attacks that you seem to be describing rely on the control of both ends
It only requires control of one end, and the ability to monitor the target (or at least ISP traffic or radio signals in the area you suspect the target is in). This is not a hard thing to do, as it turns out; it has been done in the past, but not with Tor, which as you pointed out will add noise. If you would like a scenario, think about the recent bust of Dreamboard, and imagine the police trying to catch Tor users who connected to Dreamboard; the biggest challenge is narrowing down the location of those users. The police do not need to control any nodes in the network, they only need to control one of the computers communicating through the network.
You'd still need an anonymized connection to your usenet server. Otherwise the server can/will log your ip when you view that message. All the feds have to do is get the logs for a few a major usenet providers to see who's looking at the message.
Or you do the smart thing: download all of the messages in alt.anonymous.messages, and select the ones you want offline.
It works, no-one can tell where a Tor connection comes from as long as you don't leak that information in some other way
There are a number of well-known attacks on Tor that can compromise your anonymity, especially if your location can be narrowed down to a small geographic area. Suppose that I can narrow your location down to a small town, and I can make a reasonable guess that you are using WiFi. Here is an attack:
I establish a connection with your computer over Tor. This might be done by convincing you to download a large file from a server I control (or visa versa if you are running a hidden service or connecting to a P2P network), or by engaging you in a chat, etc.
I create a recognizable pattern of latency in my connection to you; that is, I create a covert channel that can be externally observed.
I use a high-gain WiFi antenna and search for a signal that exhibits that latency pattern.
I am now in a position to locate you, using radio direction finding equipment.
Easy to pull off? Not at all -- this is something that would only really be done for a high-value target, a priority target on which resources can be spent. This attack has already been used in the past, not when dealing with Tor but when dealing with legal barriers to wiretapping. It is not unreasonable to think that the Chinese government might try something like this to crack down on political dissidents.
Obviously there are some assumptions here that are hard to meet in the general case. How do I narrow down your geographic location? How can I be sure that you use WiFi? In the case of a drug dealer, narrowing down the geographic location is not terribly hard, since packages have to be shipped; the dealer might make long drives to far away post offices, but with enough packages one could get a good idea of where the deal is physically located (again, we should assume that this is a large-scale dealer, someone who would ship large numbers of packages -- someone the police could order a large number of packages from). WiFi is just a good guess, but it is not strictly necessary; an ISP could identify the covert channel too, and I would not be surprised if that was ruled legal by the courts.
At the end of the day, Tor cannot protect you from a concerted, well-funded attack. There are other systems that offer a higher security level (Mixmaster comes to mind) but which are less flexible than Tor, and thus less popular. Tor makes several trade-offs to achieve low latency, and nobody should claim that it could protect you from an intelligence agency or a military force (the DEA comprises both).
That none of the various "anonimizer" services out there, from HotSpotShield to Tor, actually give you any kind of tangible identity protection in the "real world" of the current internet
Except that these are not the be-all and end-all of anonymity systems. The anonymous remailer system is much more secure than Tor, and is not vulnerable to the sort of fingerprinting attacks that Tor is vulnerable to. Intelligence agencies have known for decades that perfect receiver anonymity is possible: broadcast an encrypted message (online, this is alt.anonymous.messages on Usenet, or other similar media).
The problem is that people want to be able to do things in real-time. People are not content to wait 48+ hours to receive a message. People are generally willing to sacrifice some security to get speed and convenience, and thus Tor is the most popular strong anonymity system out there.
I hope the Tor Project will be forthcoming with some as soon as some technically useful info is available.
They might not even know. There are quite a few people in the computer security community who keep their work on breaking the security of systems like Tor a secret, and only tell US law enforcement about their results. I have met such people, and they are generally well-meaning -- they really do believe that they are helping to catch dangerous criminals (and they can cite cases where that happened, usually child sex abuse cases).
Unfortunately, because such researchers believe that fixing these problems will help "the enemy," they generally refuse to disclose details. One of the common themes is variations on fingerprinting attacks, where you communicate with your target over Tor but use a covert channel that can be used to distinguish your target from other Tor users. These sorts of attacks usually involve narrowing down the geographic area where your target is, but for attacking a drug dealing operation that is not hard to do -- just look at where packages from the operation are coming from.
Except that scientists have studied LSD, for decades, and there has been little evidence of people forming dependences on it. This is in stark contrast to the three most popular legal drugs: caffeine, tobacco, and alcohol.
The point of the war on drugs is to imprison people, create excuses for violating civil rights, militarize the police, and fatten corporate profits (especially pharmaceuticals, light arms producers, and prison operators). Nobody wants it to stop; it would not be possible for it to stop even if we tried, because human beings use drugs, period. People drink tea, people use tobacco, people take antihistamines, people drink alcohol, and yes, people smoke marijuana, snort cocaine, and use LSD. If everyone stopped using illegal drugs, we would just make more drugs illegal to continue the arrests.
"Narcotics" sounds scary, so we should call all drugs narcotics! This is not a new propaganda strategy; marijuana was first called a narcotic in the 1930s during the hearings on banning the drug.
Anonymous payment systems are not good because they let you evade the government, they are good because they protect spenders and merchants from various types of fraud.
A large drug dealing operation that uses Bitcoin is no better off than one which uses cash. The drug dealers still need to pay their rent and buy their groceries, and they cannot do that with Bitcoin. All the DEA would have to do is to watch Bitcoin exchanges to gather lists of suspects.
You still need to ship the drugs, so you are still going leave a trail that points to you.
You know how you get this funny feeling about giving your credit card details to some unknown website, or over an unsecure connection, or to some stranger at a gas station? The reason you get that funny feeling is that you are worried that the person you just gave that information to might turn around and spend your money, a basic form of online credit card fraud. It happens all the time, and that information is one of the things that is traded on "carder" forums. Now we have an even worse problem: well known businesses might be attacked, and have databases full of payment information copied.
Now, a digital cash smart card is another story. You have a card with enough memory to store some digital cash tokens and some circuitry for carrying out a digital cash protocol. You want to buy something online? Plug your smartcard into your computer (why don't we ship computers with smartcard readers?), make the payment, and the worst that can happen is that the counterparty never delivers what you purchased. No fears about your credentials being used to make fraudulent payments, no worries about a database of payment information, and your money can only be stolen the traditional way: someone taking your smartcard from your wallet.
This was one of the original points of digital cash. Anonymous payments are not good because they let you evade government regulations, they are good because they do not create identity theft problems. Digital cash is good because it is anonymous, and because it is hard (in a cryptographic sense) to make fraudulent payments without at least betraying your identity in the process (and thus opening yourself up to prosecution).
I am not going to claim that all financial crime problems will be solved with digital cash. People will still need to transfer cash to their smartcards somehow, which is something that also needs to be secured. The point here is that we could defend ourselves from a large and important class of computer crimes by deploying relatively inexpensive hardware (a one-time cost) and some well-developed cryptographic protocols.
It is not just that we are a long way from solving the problem of computer crime; we are not even trying to solve it. We are still sluggish on deploying digital cash (no, not Bitcoin, more like Chaum), relying on traditional systems of banking that have been translated into electronic forms (debit cards, credit cards, PayPal, etc.). We are still relying on passwords to protect money, personal information, and so forth. We are still relying on the From: field in an email to determine who the email came from. When things go wrong, we just call up the police and do nothing to fix the inherent security problems that made the attack possible.
Is it any wonder computer crime remains a serious problem? Society has not yet adjusted its thinking to align with the computer age. People have no concept of how easily emails can be forged -- one of my favorite demos to give people is to send them an email that has their own email address in the "From" field. There is also a general lack of technical knowledge that creates problems for people; a friend once told me that by password-protecting her BIOS, she could ensure that a thief would not be able to read her hard drive (she was shocked when I made her aware that a thief could just remove her laptop's hard drive and insert it into a different computer).
Eventually society will catch up. People eventually learned that traditional sword fighting tactics need to be dropped when you are dealing with firearms. In a few decades, computer security will improve out of necessity. Unfortunately, the time between now and then will be painful.
Slashdot Mirror
Oh no! Not making money without asking permission!
Why should someone who runs a server have to get the permission of whoever wrote the client?
If the RIAA can make absurd demands, why not this guy? Why should corporations have an exclusive right to abuse our nation's courts?
In all seriousness, this whole situation is ridiculous. If this guy is not willing to hand his 9 year old a credit card, why is he willing to hand her a phone that can make charges to his credit card? I am no apologist for Apple, but I am not seeing how Apple is at fault here. This is like claiming that somehow, if a 9 year old is given a credit card and allowed to do whatever she wants in MacDonalds, it is MacDonalds' fault if the child runs up a huge bill.
Now, if this guy could show that Apple had tried to market a version of the iPhone for children, without making it clear that that particular version of the iPhone could be used to make charges to the parents' credit card without first requiring the permission of the parents, he might have a case. Except that is not what happened here.
He is saying that some people say that "hacker" only refers to people who like to illegally break computer security systems, by referring to 2600, a hacker group known for that sort of thing. I say that anyone who is curious can read 2600 magazine and see that while there are a lot of articles about breaking security systems, there are other articles that are within the scope of the old school meaning of the word "hacker."
If you actually read 2600 magazine, the scope of the articles fits in with the typical definition of a hacker: someone who likes to tinker with computers and other electronics. There is something of a bias toward computer security, but I have also seen articles about undocumented functions of electronics, technical information about various networking equipment, and so forth.
Hollywood, on the other hand, turned "hacker" into a code word for "computer criminal." No surprises there, given that Hollywood's view of computing is basically the antithesis of what the old school hackers had in mind. Hollywood thinks that computers should only be programmed by licensed professionals, who can be held accountable for the software they write (e.g. deCSS). In Hollywood's view of the world, if you buy a computer that has been programmed to stop you from running your own software (e.g. an iPhone, a PS3, etc.), then defeating those restrictions is criminal behavior -- and they got that codified in the law with the DMCA.
In some sense, I am a ham because of the Internet. I like participating in a global communication system that is operated by its own users. It is unfortunate that there are so many laws standing in the way of ARS being used in lieu of 3G/4G (the most prominent being the ban on encrypted transmissions).
That only invites the TSA to employ even worse tactics with trains, buses, and passenger ships, so that people will be scared back to flying.
TSA agents are doing their job. Being a dick to them and making their life suck (even more) just makes it worse for everyone.
Maybe if enough people were "dicks" to the TSA, the agency would not be able to hire people for "enhanced pat-downs," or they would be forced to pay such high salaries that their budget would prevent them from running the program. The willingness of TSA employees to do what they are told is what makes the scope-n-grope program possible.
I bet there are plenty of criminals who feed their families with the money they make from their crimes. Yet somehow, that does not absolve them of responsibility for their actions. Why should the TSA workers, who are being paid to sexually assault members of the public, be treated any different? Nobody signs up to work for the TSA without knowing what that agency does.
The TSA agents are acting as directed.
https://en.wikipedia.org/wiki/Nuremberg_defense
His answer to the TSA pat-down? He starts acting like he's getting off on it and then hits on the TSA agent (male or female) at the end of it.
Funny, I would have thought that the best way to mess with them would be to demand that they cite the law that gives them the authority to sexually abu^W^Wforcibly pat-down members of the public.
Do you really think that letting the enemy decide these things is a good idea? The voters are the enemy according to the US government, in case you have not noticed.
The goal of libertarianism is to whittle down the power of the government, without which these corporations would have no lever to enforce their appalling designs.
So who do you think is going to take over the various services that are currently provided by the government, which people are not going to just part with? The very corporations whose power you think libertarianism will reduce. Do you really think that those corporations are going to have the best interests of the people in mind when they develop "industry standard" practices for disposing of toxic waste? Do you really think that corporations that do not have to go through the government, and can just do what they want, somehow have less power? Do corporations protect your privacy?
When it comes to the government, you are at least in a position to vote. You have little say over corporations; you can only vote if you buy the right to do so, and of course, rich people can buy a more significant vote. That is a fine way to govern a business, but a terrible way to give people access to a decent education, public transit to get to work, and so forth. Libertarianism is not utopia, it is just a shortcut to plutocracy.
The differences in latencies in the nodes will make your data useless
So there is a limit on the bitrate of my covert channel, since this extra noise will be introduced. That is not such a problem, it just means that I will ultimately need to collect a lot of data (hence a "large file").
The timing corrolation attacks that you seem to be describing rely on the control of both ends
It only requires control of one end, and the ability to monitor the target (or at least ISP traffic or radio signals in the area you suspect the target is in). This is not a hard thing to do, as it turns out; it has been done in the past, but not with Tor, which as you pointed out will add noise. If you would like a scenario, think about the recent bust of Dreamboard, and imagine the police trying to catch Tor users who connected to Dreamboard; the biggest challenge is narrowing down the location of those users. The police do not need to control any nodes in the network, they only need to control one of the computers communicating through the network.
You'd still need an anonymized connection to your usenet server. Otherwise the server can/will log your ip when you view that message. All the feds have to do is get the logs for a few a major usenet providers to see who's looking at the message.
Or you do the smart thing: download all of the messages in alt.anonymous.messages, and select the ones you want offline.
It works, no-one can tell where a Tor connection comes from as long as you don't leak that information in some other way
There are a number of well-known attacks on Tor that can compromise your anonymity, especially if your location can be narrowed down to a small geographic area. Suppose that I can narrow your location down to a small town, and I can make a reasonable guess that you are using WiFi. Here is an attack:
Easy to pull off? Not at all -- this is something that would only really be done for a high-value target, a priority target on which resources can be spent. This attack has already been used in the past, not when dealing with Tor but when dealing with legal barriers to wiretapping. It is not unreasonable to think that the Chinese government might try something like this to crack down on political dissidents.
Obviously there are some assumptions here that are hard to meet in the general case. How do I narrow down your geographic location? How can I be sure that you use WiFi? In the case of a drug dealer, narrowing down the geographic location is not terribly hard, since packages have to be shipped; the dealer might make long drives to far away post offices, but with enough packages one could get a good idea of where the deal is physically located (again, we should assume that this is a large-scale dealer, someone who would ship large numbers of packages -- someone the police could order a large number of packages from). WiFi is just a good guess, but it is not strictly necessary; an ISP could identify the covert channel too, and I would not be surprised if that was ruled legal by the courts.
At the end of the day, Tor cannot protect you from a concerted, well-funded attack. There are other systems that offer a higher security level (Mixmaster comes to mind) but which are less flexible than Tor, and thus less popular. Tor makes several trade-offs to achieve low latency, and nobody should claim that it could protect you from an intelligence agency or a military force (the DEA comprises both).
https://www.erowid.org/references/refs.php?S=lsd
Going all the way back to the 1950s, in several languages.
That none of the various "anonimizer" services out there, from HotSpotShield to Tor, actually give you any kind of tangible identity protection in the "real world" of the current internet
Except that these are not the be-all and end-all of anonymity systems. The anonymous remailer system is much more secure than Tor, and is not vulnerable to the sort of fingerprinting attacks that Tor is vulnerable to. Intelligence agencies have known for decades that perfect receiver anonymity is possible: broadcast an encrypted message (online, this is alt.anonymous.messages on Usenet, or other similar media).
The problem is that people want to be able to do things in real-time. People are not content to wait 48+ hours to receive a message. People are generally willing to sacrifice some security to get speed and convenience, and thus Tor is the most popular strong anonymity system out there.
I hope the Tor Project will be forthcoming with some as soon as some technically useful info is available.
They might not even know. There are quite a few people in the computer security community who keep their work on breaking the security of systems like Tor a secret, and only tell US law enforcement about their results. I have met such people, and they are generally well-meaning -- they really do believe that they are helping to catch dangerous criminals (and they can cite cases where that happened, usually child sex abuse cases).
Unfortunately, because such researchers believe that fixing these problems will help "the enemy," they generally refuse to disclose details. One of the common themes is variations on fingerprinting attacks, where you communicate with your target over Tor but use a covert channel that can be used to distinguish your target from other Tor users. These sorts of attacks usually involve narrowing down the geographic area where your target is, but for attacking a drug dealing operation that is not hard to do -- just look at where packages from the operation are coming from.
Except that scientists have studied LSD, for decades, and there has been little evidence of people forming dependences on it. This is in stark contrast to the three most popular legal drugs: caffeine, tobacco, and alcohol.
The point of the war on drugs is to imprison people, create excuses for violating civil rights, militarize the police, and fatten corporate profits (especially pharmaceuticals, light arms producers, and prison operators). Nobody wants it to stop; it would not be possible for it to stop even if we tried, because human beings use drugs, period. People drink tea, people use tobacco, people take antihistamines, people drink alcohol, and yes, people smoke marijuana, snort cocaine, and use LSD. If everyone stopped using illegal drugs, we would just make more drugs illegal to continue the arrests.
"Narcotics" sounds scary, so we should call all drugs narcotics! This is not a new propaganda strategy; marijuana was first called a narcotic in the 1930s during the hearings on banning the drug.
Which common computer crime problems does digital cash solve?
https://en.wikipedia.org/wiki/Card_not_present_transaction
You know how you get this funny feeling about giving your credit card details to some unknown website, or over an unsecure connection, or to some stranger at a gas station? The reason you get that funny feeling is that you are worried that the person you just gave that information to might turn around and spend your money, a basic form of online credit card fraud. It happens all the time, and that information is one of the things that is traded on "carder" forums. Now we have an even worse problem: well known businesses might be attacked, and have databases full of payment information copied.
Now, a digital cash smart card is another story. You have a card with enough memory to store some digital cash tokens and some circuitry for carrying out a digital cash protocol. You want to buy something online? Plug your smartcard into your computer (why don't we ship computers with smartcard readers?), make the payment, and the worst that can happen is that the counterparty never delivers what you purchased. No fears about your credentials being used to make fraudulent payments, no worries about a database of payment information, and your money can only be stolen the traditional way: someone taking your smartcard from your wallet.
This was one of the original points of digital cash. Anonymous payments are not good because they let you evade government regulations, they are good because they do not create identity theft problems. Digital cash is good because it is anonymous, and because it is hard (in a cryptographic sense) to make fraudulent payments without at least betraying your identity in the process (and thus opening yourself up to prosecution).
I am not going to claim that all financial crime problems will be solved with digital cash. People will still need to transfer cash to their smartcards somehow, which is something that also needs to be secured. The point here is that we could defend ourselves from a large and important class of computer crimes by deploying relatively inexpensive hardware (a one-time cost) and some well-developed cryptographic protocols.
It is not just that we are a long way from solving the problem of computer crime; we are not even trying to solve it. We are still sluggish on deploying digital cash (no, not Bitcoin, more like Chaum), relying on traditional systems of banking that have been translated into electronic forms (debit cards, credit cards, PayPal, etc.). We are still relying on passwords to protect money, personal information, and so forth. We are still relying on the From: field in an email to determine who the email came from. When things go wrong, we just call up the police and do nothing to fix the inherent security problems that made the attack possible.
Is it any wonder computer crime remains a serious problem? Society has not yet adjusted its thinking to align with the computer age. People have no concept of how easily emails can be forged -- one of my favorite demos to give people is to send them an email that has their own email address in the "From" field. There is also a general lack of technical knowledge that creates problems for people; a friend once told me that by password-protecting her BIOS, she could ensure that a thief would not be able to read her hard drive (she was shocked when I made her aware that a thief could just remove her laptop's hard drive and insert it into a different computer).
Eventually society will catch up. People eventually learned that traditional sword fighting tactics need to be dropped when you are dealing with firearms. In a few decades, computer security will improve out of necessity. Unfortunately, the time between now and then will be painful.
You will be absorbed. Your individuality will merge into the unity of good!