Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Archive for the ‘1st Amendment’ Category

The DARKNET: Operation Legitimacy?

leave a comment »

strongbox

gaiuaim ioi dui pln!

The DARKNETS…

The “Darknets” You’ve all heard of them. Some of you out there may have traversed their labyrinthine back alleys. However, have you ever thought that someday the darknet would be just as legitimate as the “clearnet” is today? With the recent bust of DPR and the Silk Road there has once again been great interest in the “Deep Web” and this interest was sparked once again for me too. It seems that the darknet is the new black once again and people are flocking to it just like onlookers at a traffic accident. Others though seem to be aiming to use the darknet technology (TOR and hidden services) to support free speech and to pass information as a legitimate whistle blower.

Still Mos Eisley but….

I loaded up TOR & Tails and took a trip once again into the digital Mos Eisley. It is still dark and full of crazy things and if you go there you too will see black market items, services like Assassinations for Bitcoins, and run of the mill blogs. You can (allegedly) buy just about any kind of drug in quantity just as easily as buying/mining bitcoins and paying for your drugs with them. All anonymously (once again allegedly as you can see from the DPR fiasco) via the Onion hidden services and backed by other services from anonymous email on TOR to bitcoin exchanges. However one can now see other sites out there that aren’t so black market oriented as well.

One such site is pictured above. The New Yorker decided post Ed Snowden’s revelations, that it was a good idea to put their new “secure dropbox” on the hidden services. This is a legit site that has been talked about on the clearnet as well as in the media a couple months ago. This is one of the first more legit sites I have seen out there that is offering a secure means to talk to reporters using the security that others on the darknets are using to carry out illegal activities. I have yet to really look at the site’s security but overall I see this one site being the key to showing others out there how the darknet can be used for something other than crime. Of course then again, if you ask the Obama Administration even this site could be considered illegal or an accessory to illegal leaking I guess. It’s really a matter of perspective.

Gentrification?

So what about other sites? What would you out there use the darknet for that is not “illicit” but requires some security and anonymity? I can foresee other sites popping up perhaps in the arena of free speech or even political movements that might like this model to pass their ideals on. I honestly think this is a turning point for the darknet. Of course this is all predicated on the darknet being “secure” after the revelations from the Snowden Archive of late. It seems the NSA is really trying pretty hard to de-anonymize anyone they want to and would love to have it just not anonymous at all. Well, let me re-phrase that.. Have them THINK it’s anonymous while it is not so much to the NSA.

Other sites out there include an online Koran as well as all kinds of other non criminal sites that are.. Well.. Kinda goofy or fringe. I think that perhaps now things might shift as the technology becomes easier to manage making it easier with global connectivity for us all to hang up a shingle in the darknet.

Time will tell though I guess…

K.

So here’s my thing….

with 3 comments

dark_of_night_OURO

VQX HWMVCUSE JQJFASSNTG QV! X HQ JD ISIAVVE!

Face it.. We are all PWND six ways to Sunday

Every frigging day we hear more and more about how the NSA has been emptying our lives of privacy and subverting the laws of this land and others with their machinations. It’s true, and I have been saying as much since the day Mr. Klein came out of his telco closet and talked about how the NARUS system had been plugged into the MAE West back in the day. We are all well and truly fucked if we want any kind of privacy today kids and we all need to just sit back and think about that.

*ponder ponder ponder*

Ok, I have thought about it and I have tried to think of any way to protect myself from the encroachment of the NSA and all the big and little sisters out there. I am absolutely flummoxed to come up with any cogent means to really and truly protect my communications. Short of having access to the NSA supercloud and some cryptographers I don’t think that we will not truly have any privacy anymore. If you place it on the net, or in the air. We have reached in my opinion the very real possibility of the N-Dystopia I have talked about before in the Great Cyber Game post.

As the pundits like Schneier and others groan on and on about how the NSA is doing all of this to us all I have increasingly felt  the 5 stages of grief. I had the disbelief (ok not completely as you all know but the scope was incredible at each revelation) Then the anger came and washed over me, waves and waves of it as I saw the breadth and scope of the abuse. Soon though that anger went away and I was then feeling the bargaining phase begin. I started to bargain in my head with ideas that I could in fact create my own privacy with crypto and other OPSEC means. I thought I could just deny the government the data. I soon though began to understand that no matter what I did with the tools out there that it was likely they had already been back door’d. This came to be more than the case once the stories came out around how the NSA had been pressuring all kinds of tech companies to weaken standards or even build full back doors into their products under the guise of “National Security”

Over time the revelations have all lead to the inescapable truth that there is nothing really anyone can do to stop the nation state from mining our communications on a technological level. Once that had fully set in my mind the depression kicked in. Of late I have been more quiet online and more depressed about our current state as well as our future state with regard to surveillance and the cyberwarz. I came to the conclusion that no matter the railing and screaming I might do it would mean nothing to the rapidly approaching cyberpocalypse of our own creation arriving. ….In short, we can’t stop it and thus the last of the five stages for me has set in. I accept that there is nothing I can do, nay, nothing “we” can do to stop this short of a bloody coup on the government at large.

I now luxuriate in my apathy and were I to really care any more I would lose my fucking mind.

OPSEC! OPSEC! OPSEC!

Speaking of losing one’s mind.. Lately people all have been yelling that OPSEC is the only way! One (the gruqq) has been touting this and all kinds of counterintelligence as the panacea for the masses on these issues. Well, why? Why should we all have to be spies to just have a little privacy in our lives huh? I mean it’s one thing to be a shithead and just share every fucking stupid idea you have on FriendFace and Tweeter but really, if you can’t shut yourself up that is your problem right? No, I speak of the every day email to your mom telling her about your health status or maybe your decision to come out etc. Why should the government have the eminent domain digitally to look at all that shit now or later?

If you take measures to protect these transactions and those measures are already compromised by the government why then should you even attempt to protect them with overburdened measures such as OPSEC huh? I mean, really if you are that worried about that shit then go talk to someone personally huh? I know, quite the defeatist attitude I have there huh? The reality is that even though I claim not to be caring about it (re: apathy above) I actually do but I realize that we no longer have privacy even if we try to create it for ourselves with technical means. If the gov wants to see your shit they will make a way to do so without your knowing about it. I fully expect someday that they will just claim eminent domain over the internet completely.

Fuck OPSEC.. I want my government to do the right thing and not try to hide all their skirting of the law by making it classified and sending me an NSL that threatens to put me in jail for breaking the law.

Fuck this shit.

CYBERWARZ

Then we have the CYBERWARZ!! Oh yeah, the gubment, the military, and the private sector all have the CYBERWARZ fever. I cannot tell you how sick of that bullshit I am really. I am tired of all the hype and misdirection. Let me clear this up for you all right here and right now. THERE IS NO CYBERWAR! There is only snake oil and espionage. UNTIL such time as there is a full out kinetic war going on where systems have been destroyed or compromised just before tanks roll in or nukes hit us there is no cyberwar to speak of. There is only TALK OF cyber war.. Well more like masturbatory fantasies by the likes of Beitlich et al in reality. So back the fuck off of this shit mmkay? We do not live in the world of William Gibson and NO you are not Johnny Mnemonic ok!

Sick. And. Tired.

I really feel like that Shatner skit where he tells the Trekkies to get a life…

Awaiting the DERPOCALYPSE

All that is left for us all now is the DERPOCALYPSE. This is the end state of INFOSEC to me. We are all going to be co-opted into the cyberwarz and the privacy wars and none of us have a snowball’s chance in hell of doing anything productive with our lives. Some of us are breaking things because we love it. Others are trying to protect “ALL THE THINGS” from the breakers and the people who take their ideas and technologies and begin breaking all those things. It’s a vicious cycle of derp that really has no end. It’s an ouroboros of fail.

RAGE! RAGE! AGAINST THE DYING OF THE PRIVACY! is a nice sentiment but in reality we have no way to completely stop the juggernaut of the NSA and the government kids. We are all just pawns in a larger geopolitical game and we have to accept this. If we choose not to, and many have, then I suggest you gird your loins for the inevitable kick in the balls that you will receive from the government eventually. The same applies for all those companies out there aiding the government in their quest for the panopticon or the cyberwarz. Money talks and there is so much of it in this industry now that there is little to stop it’s abuse as well.

We are well and truly fucked.

So, if you too are feeling burned out by all of this take heart gentle reader. All you need do is just not care anymore. Come, join me in the pool of acceptance. Would you care for a lotus blossom perhaps? It’s all good once you have accepted the truth that there is nothing you can do and that if you do things that might secure you then you are now more of a target. So, do nothing…

Derp.

K.

BORN ON THE FOURTH OF JULY

with one comment

Born-On-The-Fourth-Of-July_snow

jw hnne pjofkeq lhr Juoacbf

REVELATIONS

On this fourth of July as I sit here early in the morning I am left to think on all that is going on and the future from this moment on regarding the NSA revelations by EJ Snowden. Since coming out to Glenn Greenwald and the Guardian “We The People” have been getting the veil ripped away for us on some of the actions of our government for our “safety” from terror. Said actions have been in my opinion the end running of the constitution, the laws of the United States, and the bamboozling of the governed by the governors through the manipulation of fear and secrecy on the populace. The rubric of capturing all data to target only the wicked terrorists is a falsehood. No matter the protestations of the Clapper’s of the secret squirrel world that their machinations have defeated (X) amount of plots against us can assuage my fears that the system could and already has (by Snowden) be abused. Thus the assurance of “Trust us” by the government is hollow at the very least if not disingenuous.

It is said there are to be more revelatory things to come from “Snowman” but I think we should all be upset enough already to be storming the gates of congress seeking redress as it is. Let’s all face it, a system has been created to tap us all. No matter what is said about how it is run by laws that have been created to subvert our most basic of laws to start, the system itself presents a threat. We are now seeing congress going into action as well trying to shed some light on things that have been in fact lied about in their hearings  but I fear that a combination of secrecy, our own collective apathy, and an ineptitude on the part of our representatives has already won out and this security industrial complex has rooted itself too deeply to be excised or even pruned. Know you all though, that it’s out there and that our most sovereign of ideals that our country was founded on has been tattered. Tattered by our own elected officials to “protect us” like children who cannot handle a boo boo.

MOTIVATIONS

Much has been made on the motivations of EJ Snowden and I will just throw my psychological hat in this ring right here and now. Given what I have seen of this man I think he has a narcissistic streak a mile wide and an active imagination that he is Jason Bourne or 007. That said though, I think his core belief here is that he was doing the right thing. I cannot fault him there because what he has shown us all is that the government is spying on us all no matter what they say. Collecting all data, saving it, and then choosing to sift through it is in fact a power that no one should have collectively on us all in one database. Think of this program as the one ring and you as Frodo.. But you have are wearing the one ring all the time and Sauron see’s your every move. Unless you go completely Luddite the government is going to have your number figuratively and literally and that is damn scary no matter the alleged protocols that they have in place.

So, now we come to the time where the attacks on Snowden, the media manipulations that go on for ratings, and the government spin makes him to be the story more so than the actual programs that he has brought to light. It is important here to not care about our boy Snowden any more than an amusing character in a larger passion play. Please consider “Snowman” the Falstaff to the Harry of the government. He is but a cipher to a larger story. Let EJ hang around in Shermeteyevo and pay him no more mind. Pay attention to the real problem here, and that is the programs that he has shown us all are out there and capturing all our data. Don’t get lost in the media derp.

PROTESTATIONS

Look to the Congress people! Look at history as well. If Nixon had had this technology we would have all been not only listened to but we would have become dissidents under the watchful eye of the likes of J. Edgar in some prison for having the temerity of not believing as he did. Power corrupts and absolute power corrupts absolutely as the saying goes. These programs in tandem with the laws being created around them to allow for the bypassing of other laws is absolute corruption. I do not care to hear the prevarications or the finagling that the government is tap dancing to to allow these things. It’s just wrong no matter the intent and it all stems from an administration that thought that torture was legal and sought to legalize it with the Yoo Memo’s. What was it that Nixon said? “If the President does it it is not illegal” I’m sorry no, it is illegal and immoral and a beast that has been created that cannot be controlled. I look at all of this and I keep going back to Caesar. Caesar was a great general and was installed during a time of great need to have a man like him running things. He won the war and then decided that he should be ruler in perpetuity, an emperor. I think we have crossed that same Rubicon today with these programs and I fear that it will not end and they will be abused.

All hail Caesar.. SPQR

K.

Written by Krypt3ia

2013/07/04 at 11:05

Creating Your Own Privacy & ROI

leave a comment »

img courtesy of XKCD http://xkcd.com/

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Preamble

With all the alleged revelations over the drift net surveillance happening to us all by the government I and others have been pondering the processes needed to protect one’s communications online and over the phone. Wired and other venues have put out reasonably ok articles on this but generally I think they have lacked on the ROI factor for the varying degree’s of surveillance that has been carried out for some time now, not just the NSA with PRISM. The immensity of it all I think can put one off on the idea of being able to keep their privacy especially given the pains that one must take to keep it on the nation state scale. However, there is much that could be done to have a modicum of privacy but one just has to understand the idea of OPSEC and have some technical base to work from in order to use the technologies such as TOR or CRYPTO in the first place. It is another thing altogether to keep that mindset every day and to understand the import of their use and the cause and effect that comes from failing to use them.

PRISM and NATION STATE SURVEILLANCE

As Ali (@packetknife) alluded to on the “Loopcast” recently with me, the idea that someone can completely deny the nation state program of surveillance is a tough one to swallow today. We all are connected to the net in some way whether it be your smartphone or some other connected device that we carry with us 24/7. In the case of the smart phone the utter and total pwn that goes on there is spectacular to think about. There is no need for tinfoil hat conspiracies about barcode tattoo’s on one’s neck here, all you really need is an iPhone and connectivity to know quite a bit about a person. This is why the metadata issue is a big one and people are seemingly unable to comprehend it. Let me clarify this for you all by also saying that not only are the calls to and from being easily monitored and mined (stored later for perusal when needed) by the NSA it seems, but also the GPS data as well. Remember the hubbub over the Apple collection of GPS data on the phones a couple years back? Remember the outrage on some parts over this? Well, now look at that in relations to how much of that data is accessible by the government too in this program. More to the point and this has not really been talked about, but are they correlating that data as well in the phone surveillance being carried out? My assumption is yes but like I said that seems to have been dwarfed and drowned out by the PRISM revelations.

Ok so now we are being data mined and correlated on the phone calls we make (metadata). Of who we are calling, how long we are talking, and when as well as  the GPS (location) as well?  All of that data is very informational about the habits of a person alone but start to analyze it from a personal and psychological perspective and you can build quite the dossier on someone without even having to listen to their conversations. Which I hasten to add that there are rumors of the caching of conversations generally not just under warrant from FISA. At this level, the nation state level of surveillance, one cannot hope to really be secure in their communications using technologies as they are because of the access the government has built for themselves post 9/11 with the Patriot Act as it’s fulcrum. Access mind you that we are giving them by proxy of the devices we buy and the services that provide the connection because without them we have no way to communicate other than in person or pen to paper with the post offices help right?

All of this though does not mean that the government is spying on you now. What it means though is that the legalities have been created or bent to the will of the government to have the illusion that the wholesale collection of all kinds of data for later use of anyone using these systems is legal. It also means that no matter the protestation of the government and the law enforcement bodies that they take all due care not to collect/use/surveill you vis a vis your data that there is a chance that someone within the system “could” and “might” do so outside of the rules and that is the problem here … Well other than the Constitutional, moral, and ethical issues that is. Just because it is against the rules does not mean someone won’t do it if they have the access. You know.. Like EJ Snowden having access to highly classified data that perhaps he shouldn’t have? Or furthermore the availability of Mr. Snowden being able to insert a USB drive into systems and siphon off said data to give to the press or anyone who’d listen right?

PRIVATE SECTOR or THE LITTLE SISTERS

Another issue that seems to be taking a back seat here is the notion of the Little Sisters to Big Brother. This idea springs from something I alluded to above in that the corporations that offer you the services (Gmail/ATT/Facebook etc) all collect data on you every minute of every day. They use this data for advertising, data mining, selling that data to other companies to form synergies on how to sell you on things etc. It is this practice of collecting all this data on us and our complicity in it that has given rise to the drift net approach that the government has taken with the surveillance programs like PRISM. The government is simply leveraging the capacities that are already there in the first place! You want to blame someone for this mess? Look in the mirror as you have allowed your data to be collected in the first place. YOU have placed your minute details out there on the internet to start with in email or posts to Twitter and Facebook for example. YOU are the culprit because you fail to understand OPSEC (Operational Security) and just scattered it on the net for anyone to see.

Of course other bits are more arcane. Cookies, tracking data within browsers and the like also give away much data on who you are, what you like, and allow the marketers to tailor ads for you when you go to sites that pay for the services. The aggregate of all of this data makes a digital portrait of you that unless you take pains to disallow the collection, will be sold and used by the corporations to package YOU as the commodity. I mean, how do you think Facebook works? It’s a social contract to connect to others and allow Facebook to make money off of your habits. Zucky is not in this to win a Nobel Peace Prize here ya know.

So when you think about all this surveillance going on please remember that you are complicit in it every time you surf the web, make a facebook post, a tweet, or send an email unencrypted (Google analytics kids) because they are all sifting that data to “get to know you better” *cough* It’s just a friends with benefits thing as the government see’s it being able to just hit them with an NSL and plant a server in the infrastructure to cull the data they want. As long as it doesn’t effect the bottom line (money) for them I suspect their worries about privacy are, well, pretty low on average. I mean after all you have already signed away your rights have you not? The little sisters are insidious and subtle and I am afraid they have already become metasticized within the society body.

The Only Privacy You Can Have Is That Which You Make Yourselves

“The only privacy that you have today  is that which you make for yourself” is something I said a while back on a blog post or podcast and I still stand by it. It seems all the more relevant in the post Snowden world today. By creating privacy I mean leveraging technologies like encryption to keep your communications private and OPSEC to consider how you transmit information over the internet and telco. There are inherent problems though with all of these things as you can always make a mistake and end up leaking information either technically (an instance would be logging online with your own IP address to something) or process wise like putting your current location on Facebook and saying you’re on vacation for two weeks. It is all a matter of degree though and even if you are practicing OPSEC there are things outside of your control when the nation state is looking to spy on you. There are just no two ways about it, you can only fight the nation state so much with technology as they have more resources to defeat your measures eventually by end run or by brute force.

On the level of defeating the little sisters, well the same applies but with limitations. You can in fact surf the net on TOR with NOSCRIPT, cookies disallowed and on an inherently anonymized OS on a USB stick right? The little sisters can only do so much and they only interact when they see a profit in it. They after all are not looking to be voyeurs just for the fun of it. They want to sell you something or sell you as metadata right? However, if you start to anonymize yourself as much as you can and you are diligent about it you can stop the Little Sisters which in turn may minimize what the Big Brother can use too. The caveat is that you have to take pains to do this and you have to know what you are doing. There are no magic easy button offerings on the shelf that will hide you from them all and if you care then you will take the time to learn how to perform these measures.

ROI On Privacy

Finally, I would like to take stock of the fight here that you need to take on and what the ROI is for each adversary involved. In reality unless you go off the grid, change your identity and never touch another piece of technology ever again there is a high likelihood that your information will be tracked. One may in fact create a separate identity to pay bills with and use that one to surf online as well as other things but that is an extreme just like the idea of becoming a Luddite. There must be a middle road where you can feel that you are protecting a certain portion of your lives from the unblinking eye of the companies and governments that own or access the technologies that we use every day. You have to though, understand all of this and accept that in the end you may fail at keeping your privacy yours and yours alone. Come to grips with this and be smart and you can have a modicum of success if you are diligent.

A for instance of this ROI would be on the phones. If you TRULY want to be private then you have to lose your smartphone that you have billed to you and buy a burn phone. Cash is king and there is no information taken if you do it right. The unfortunate thing is that you then have to call only others who have the same burn phones out there without any metdata that ties it back to their real identities. You just try getting mom and dad to buy burn phones to talk to them on… It’s not that easy. So really, some of the ROI is minimized by the nuisance factor. The same can be said for the lay individual who is not going to go buy encryption products nor are they capable of installing a Linux system and running something like GPG. This is not going to work for everyone as well as not everyone is going to care about their privacy as the recent Pew poll showed where 56% of polled ok with surveillance program by NSA.

In the end it all comes back to the idea that you create your own privacy by your own actions. Do not trust that the government is going to protect your privacy and certainly don’t believe that the corporations will either. I mean, just look at how many spectacular fails there were on passwords that weren’t hashed or encrypted in any way by companies hacked by LulzSec. As well you should not trust the government, no matter how well intended, that they will be ABLE to protect your privacy as we have seen with recent events like Brad Manning’s theft of (S) data as well as now Snowden (TS/SCI) The actions of one person can be the downfall of every carefully crafted system.

So what is the ROI here? Well….

NATION STATE:

Crypto and anonymized traffic online will minimize your footprint but eventually they will break you if they want to. You have to be exceptional to fight the nation state level of surveillance. As for the driftnet out there well, unless you go luddite they have a lot of data to sift and commingle. They have a pretty good picture of who you are and much of that comes from the little sisters. Your ROI here is minimal because they have the power and the thing you MUST remember is that CRYPTO IS YOUR FRIEND!! Encrypt sessions for chat and emails and you will leave them with the task of either having to break that crypto or hack your endpoint to see the plain text. Make them work for it. Otherwise you may as well just BCC the NSA.GOV on each and every email today it seems.

LITTLE SISTERS:

The little sisters though are another thing. You can in fact obscure a lot of what you do online and through telco but you have to be diligent. It means time and sometimes money (burn phones or laptops in some cases) to obfuscate as much as you can. The ROI here is that IF you take these pains you are then able to deny them easy access to your habits and patterns. If you start using crypto in sessions and in communications like emails then you will be also geometrically heightening your privacy status. But you have to do it.. AND that seems to be the hard part for many whether it is laziness or apathy I am not sure.

Privacy is what you make of it… He says as he hits enter on a public blog post!

K.

[Jmhhw Kutdegc ohl Vmgi Uizvsr pspmspw avuzyiw ypicl Qephcv Tmwfcj’a yere. Kutdegc plqfkw sd Vqklsn vcukipd.]
Polvc Ayzfiui: Elr npwr, xfslm’k Qephcv Tmwfcj…[tgsoq on i xspbsl ezmpc Auzlmr fom i tpely mbsvi. Uoftsgi rilvk xlc titviv rc mpga mr vua fs tydyzk] Li bcyaf’x wcsg bg lets u xswx.
Zwmpgt: [Ayzea saew] W’g agvvw, pob A hsl’h qwjo jmf npw kstslveirr.
Rckc Kspriv: Oi hm. [Gbwow e aoll] Fexgchid Wiailqlc Eeshkq.
Fmqvix: Sl. Cmi’lm lli eisa A liyf vzwexfwho gr xfs ibziv cbx wx qc nvivw.
Hmay Awjhsl: Bi, bzex’q hbm XFM. Us’lm fsx avuzlivcr zwj hsksmbag wsfpmappybwm.
Tmwfcj: Wz, M wcs. Swm nyqh idwvxffie yszcfhuwrxq. Gyb mt jpwyvvpc bwwbsxspg.
Xquo Kmfxwf: Rs, rvub’k xlc QCI. Oi tpcnmux ssf awnivlayvl’w gmagcfmgyhcwfw, ac hlg ls fpsus lli mhbmj jijzu’a ushcg. Qm’ji xfs awgh ksmm, Usvxw.
Pcazst: Esy, Q uer’r hytd css kbil e vczcmx xlyh ca…Vmgi.
Rckc Kspriv: Uleluy ggyv kwhl, uepj im il xlgg hcefip… [ucdww Fggbwh e jmzxmv tmcqy wx tensl] Uj. Fvgqy.

SHMOOCON 2013 ROUNDUP

with one comment

shmoo

xboymqiqzz

Takeaways:

Well another Shmoocon has come and gone. While much fun was to be had I could not help but notice that there was a definite theme going on in talks this year both on and off the stages. That theme was just how much we are all being screwed by the legal system today as well as how much damage could be done to anyone at any time because the laws are either being abused or are ill suited to apply to the crimes that people are being charged with. In many cases the talk this year centered around fundamental rights granted by the Constitution that are steadily being eroded or tossed out the window because the word cyber has been placed in front of the charges.

With stories like the DHS’ right to search any of your hardware within 100 miles of the border to seizures of domains without having to produce a reason why we should be talking about it. Frankly we should be doing more than just talking about it we should be assailing the government with questions and attempting to protect our rights. Unfortunately what we have seen is that even trying to protect our rights cannot be done easily without a great amount of money and time while lawyers bill you many hundreds of dollars an hour. Without money we have pretty much no hope of changing the laws even with the likes of EFF trying to do so.

This conference just seemed to show that we are realizing these things more overtly because of late the law has been making some rather harsh decisions against the innocent as well as the guilty. For me though, when I see misdemeanors turn into felonies because they are compounded together in order to have a bigger win in the press and to further a career I see the scales of justice as being broken. The realization, which we all have but we put away to lead our daily lives and keep our heads down is that the law only really serves those who have money. The more money you have, the more malleable you can force the law to be.

The Law Won’t Protect You:

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

It seems that since 9/11 the 1st and 4rth Amendment have become trite in some ways to the government. From the moment that GW Bush said you better watch what you say to today’s full blown surveillance state we have seen these fundamental rules be put aside by the government. Sometimes this is overtly but mostly it is done in muted ways that people are not paying attention to. The instance of the DHS’ right to search any hardware you have within a 100 mile radius of the border is part and parcel to this idea that they can do whatever they wish in the name of anti terrorism. A review of the privacy record for DHS generated a report that once really read shows they had no issue with this and thought that it was not a privacy issue whatsoever.

Evidently, the 4rth Amendments statement on reasonable search and seizure is moot if some $10.00 an hour security guard feels that I am an imminent threat with that laptop. I guess though that’s just par for the course in a world where warrant-less wiretapping is the vogue and approved by the government even though they were mandated by law to get things like FISA warrants to do so. It’s interesting to note just how quickly the government was able to re-jigger the laws around that in their benefit to allow for this as well as say rationalizing torture too. It’s all a matter of who’s got the juice and the legal teams to wordsmith language to allow what they desire to become the rule of law. It seems today that the laws to protect you are just platitudes and if you believe in them you are deluding yourself to some extent.

The Law’s Allow Over-Reach and Companies Like Microsoft Are Abusing That:

Another talk by @theprez98 was about how Microsoft in particular but also the government were seizing domains inside as well as trying to outside the country. The cases where Microsoft has been taking liberty with the law surrounds the C&C’s for malware like Zeus. These takedowns make the news and Microsoft get’s a boost for being the whitehat here but in fact they are using their great wealth to manipulate the law in their favor to carry out these extra jurisdictional actions. What it amounts to is a private company seeking approval from a judge to carry out actions that the police really should be but are not.

In the case of the Zeus takedown they seized assets and domains of not only the botmasters but also innocent victims in the process. The same has happened with the government taking down domains under seal. This means that the collateral damage (aka other peoples sites that had nothing to do with this to start) end up losing their data, have no real means of seeking redress (sealed means secret) and in the end lose money and time because they happened to just be in the way. Of course lest we also forget that if their site happened to have some content that may be considered illegal in some way, then they too could be charged in another case because suddenly their data is considered “plain view” This means that since the government could see it even without a specified warrant they could then act upon it.

Microsoft has been prosecuting these cases with more frequency as they keep citing earlier cases that they won approval from the judge to prosecute and thus case law is made. This precedent makes it all the more possible for any other company to make the same case and as such more searches and seizures could happen by companies and not the law enforcement community. I guess my question then becomes how long until the government privatizes the “net police” ideal and places it in the hands of the likes of a Xe? Will we have letter of digital marque as well one wonders as it becomes more expedient for private companies to police things on the internet.

The Government Is Ill Equipped To Handle Technology and Create Law:

A second talk that focused on the law and how poorly it is equipped to deal with modern technological issues was presented by the EFF at Shmoocon. This talk focused on two cases, the first being the case of Aaron Swartz. Aaron took his own life recently and many believe that it was prompted by the judicial over-reach against him in the JSTOR case. While Aaron did a couple things that could warrant misdemeanors the prosecutors in the case concatenated them change these into felonies. In the end the releases by the prosecutors were claiming that Aaron could go to prison for 35 years after downloading too many documents from JSTOR.

In Aaron’s case as in Weeve’s the interpretation of the 1984 CFAA (Computer Fraud and Abuse Act) allows for quite a bit of abuse and no substantive changes have been made to that law since it’s inception. As such the law is out of date and ill equipped to apply to much of anything that can happen today. Of course in the case with Weeve this is plainly shown because the data was publicly available and no escalation of privilege was carried out to get it. The access of the ATT data was as easy as tying in a URL yet ATT has made this a federal case and Weeve the target of some pretty hefty jail time as well as fines.

It was plainly seen in the presentation by EFF that the current laws are outdated and that the law makers are not very clueful on how things work today in a digital world. In a way one can infer that they like it this way because it leaves much more for interpretation and misuse but I don’t want to be too dark here. I guess I will just stick to the theory that they are all old and really do consider the internet to be a series of tubes. Either way unless we force change on this and get them to change the laws to reflect reality we all are subject to wrongful if not over prosecution because the current ones are too open to abuse by prosecutors seeking to make a name for themselves.

We Need To Know Who You Are So No Pseudonyms Allowed:

Evidently it’s also too hard for the government to know who’s who so there are pushes on to have a “Real ID” on the internet as well as AFK. Another talk at Shmoocon was about the idea of identity and how companies like Facebook as well as the government are seeking to apply rules on “Persistent ID” Since the lawmakers find technology so hard to understand and privacy is an antiquated idea they just seem to think that foisting a persistent ID on us will make it all better. Since you have persistence, you won’t do anything like troll anyone online will you? Sure, that’s going to work swimmingly don’t you think?

I am constantly surprised by these people and entities that seem to think that privacy is dead or that it is not needed. The reason people take up pseudonyms is because they wish to speak their mind not only to commit crime. In fact they are likely to really be afraid that the act of speaking their mind may in fact be a crime. You can see this going on in various countries today with authoritarian or theocratic governments. I myself have been taken to court over things I have said as well as have been warned not to rock the boat for fear of more litigation or other negative repercussions. I guess then that the 1st Amendment is just a piffle right?

Out of all of the talks this one scared me the most. This movement to mandate identity online is more venal than any talk of the government trying to erode the 2nd Amendment to me. Why you ask? Because this is something that the governments as well as corporations can get past people’s cognitive dissonance as opposed to taking their guns away. Just how much privacy have we already lost today with the likes of Facebook and others online? How much of your PII data circles the globe in databases showing connections to who you are, where you are, and what you buy? Think about it in the context of linked databases and you can start to see where I’m going here. We have already given up a lot so what’s the big deal in getting a drivers license on the net huh?

I guess the most astounding thing though to me is that the government as well as Facebook think that this will in fact end pseudonym use. If they try then those really seeking to be anonymous will just use someone else’s ID right? The person intent on doing so will just fabricate or steal another ID and thus the waters will be muddied once more. It is galling though that in today’s world we have entities like Instagram that want you to take a photo of your government issued ID to verify who you are and send it to them online.

HOLY WTF!

The Military Leaders Are Old and Do Not Understand The Technology:

Finally, I learned that the leaders of our government and the military on average tend to not understand “internet” I know shocking huh? A talk given at Shmoocon on cyberwar “Hacking As An Act of War” was enlightening to some in the room but for me it was status quo. The fact of the matter is that the people running the wars are old. Those actually prosecuting it are young though. As Mark Hardy said in his presentation “Once the older generation is out of control, the younger generation will be better able to make the changes needed to fight the next war online”  and I’m paraphrasing there but the sentiment is true.

The same goes for the policy makers where this is concerned as well. The paradigms have changed but those in charge have not nor have they tried to keep up with what’s going on. How many times have we all seen pieces in the news where some senator somewhere says something that clearly shows they have no clue what they are talking about? Now imagine that you are someone who’s an expert on that subject. All you can do is hang your head and walk away. I personally have tried with Senator Droopy Dawg to no avail to get across to him that his arguments are only crying wolf instead of being substantive and clued in. Of course nothing came of my trying, not even a response. …Even when I was nice about it.

Now consider the prosecution of war with a digital aspect. Mr. Hardy gave us some great information on the Tallinn manual as well as insight into NATO’s ideas on how to classify and prosecute the laws around digital or 5th domain warfare. At times they seemed to just be out of touch with reality but at least they are trying. The issue though is that this is all Terra Nova and the people trying to assess it are still locked into ideas that pre-date the internet. It’s akin to taking George Washington and placing him in the middle of a firefight in Viet Nam. I should think that George is not going to last long as a warfighter in such a scenario because he lacks the comprehension of the weapons of war for that era.

In other words we are screwed.

Final Thoughts:

Overall Shmoocon was a good time. Much more for the LobbyCon that was constantly going on than most of the presentations though. It was enlightening in many ways to talk to others about what was going on not only technically but moreover their concerns about the same issues as I have laid out here. We live in perilous times where the law and internet are concerned. Our ideals of privacy are at risk as well as our rights according to the Constitution. We are increasingly living our lives within the medium of the digital and yet we fail to see the machinations going on to spy on us with more regularity and impunity.

We are abdicating our privacy as well by allowing companies to keep have our data because we don’t read a EULA and encrypt our transmissions. In so many ways we will be the ones to blame when our data us used against us because we did not carry out the due diligence to protect it. We should not trust in Twitter to protect those conversations we have in DM because their EULA says that nothing you do there is private. … Even a direct message outside the Tweet stream. We need to either say no to these services or force them to change their EULAs to allow for some privacy. Failing that we need to protect ourselves with crypto. The question then becomes, as was intimated to me on a couple occasions this weekend, “Just how long until crypto becomes regulated as a munition again altogether?”

It’s a brave new world kids, best start paying attention.

K.

 

Written by Krypt3ia

2013/02/18 at 16:20

Detecting Psychopathy Via Tweets? A Flawed Premise May Present Dire Consequences

with one comment

In contemporary research and clinical practice, Robert D. Hare’s Psychopathy Checklist, Revised (PCL-R) is the psycho-diagnostic tool most commonly used to assess psychopathy.[1] Because an individual’s score may have important consequences for his or her future, and because the potential for harm if the test is used or administered incorrectly is considerable, Hare argues that the test should only be considered valid if administered by a suitably qualified and experienced clinician under controlled and licensed conditions.[2][3] Hare receives royalties on licensed use of the test.[4]

Background Sources:

Wikipedia on PCL-R

Defcon 20 Presentation

Fox News

Forbes

Wired

Science Daily

wmatrix 

Preamble:

A paper and talk being given at Defcon 20 this week has gotten people all worked into a lather within the news arena and has piqued my interest. The talk centers around the premise that one may be able to determine psychopathic traits (psychopathic and sociopathic behaviors) from of all things, the analysis of tweets. Now, this may be a novel idea to some and it certainly seems the news has latched onto this, but, in the cold hard light of day, this premise has way too many failures to be actually applicable to gaining any insight into anyone’s psyche via Twitter.

In this article I am staking out my contention that this is not a suitable means of diagnostics of this type and in fact, were it to be followed up on and used, would lead to bad results and perhaps the citation of individuals online as being “Psychopathic” when they are not the least bit so. As such, this talk may be an inquiry into whether or not this is possible, but, had the research been carried out to the extent of reading the materials and their ancillaries, one would quickly come to grips with some salient facts that make this method of detection untenable. As the media hype has already started on this, I think it prudent to speak up on this here and now, as well as write an after piece once I have sat through the talk and had a chance to see exactly what they say they believe possible in the end.

A Flawed Premise:

Having read the original paper by Hancock, Woodworth, and Porter, (Hungry like the wolf: A word-pattern analysis of the language of psychopaths) the experiment clearly states that they had chosen a sampling of criminals convicted of murder (various degrees of which) and verbally interviewed them on their crimes. The method of interview was strictly adhered to and was a known and well used process including blind interpretation (where the interviewer did not collate the data on psychopathy, just transcribed dialog and logged emotional states) Once the transcription was done (including disinfluences *uh and um*) this text was taken and run through the wmatrix and other tools to determine the languages affinities for psychopathy and other mental states. This “text” is actual “dialog” and as such, is not the same as the “written word” that the speakers at Defcon are going to be assessing in their presentation, and this is a key difference that I am unsure they have taken into account. Writing is affected and not natural to many (i.e. fluid dialog in writing) Add to this that you are talking about the emoting of data/emotion vis a vis Twitter at 140 characters at a time AND using quite a bit of word shortening and slang, and the premise of using “language” to determine psyche really falls apart.

A second key point is that the dialogs that are being used in the original paper are specifically stories of their crimes. This was a calculated effort on the part of the psychologists to elicit the emotional states of the subjects in relation to their crimes, and their victims. This is a key factor in the determination of the language that the researchers were looking at, and as such, this, as far as I know, is not a part of the paper being presented at Defcon, and thus, misses a key data point… Making the premise suspect to start.

It is my opinion, just from the differences between the experimental inputs, that unless you have a larger dialectic to work from and a trained set of people to determine not only language, but also emotion (we all know how easy it is to misinterpret an email right?) of the poster, you cannot in any way, shape or form come up with a psychiatric profile, never mind an actual diagnosis, of psychopathy via online content, especially that which is culled from Twitter.

Background Data On PCL-R:

Another factor that I would like to address briefly is the use of the PCL-R test. This test, though being around for some time and used, is still not part of the DSMV as a diagnostic tool that they prefer. There are many papers and articles online that do not promote the use of this test as a lock on Psychopathy, nor is there really a consensus from DSM to DSM on exactly what Psychopathy is. Psychology and Psychiatry is more of a plastic science due to the nature of the human brain. So, all of this supposition on trying to quantify an individual from their language written online at 140 characters at a time is being terribly kluged into an ideal. It is important to know the landscape here to understand that nothing is certain and even diagnosis of an ailment such as these can be countered by a second opinion by another doctor.

.. And doctors should be involved in any of these experiments online as well. However, the bulk of what I have seen online and read elsewhere, as well as common sense, points to me the fact that even with a lot of online chatter, one must interview the subject in person to determine their illness.

Not All Problems Can be Solved With Big Data and Technical Solutions:

In the end though, I guess my biggest concern is that certain people out there (or government groups) might take this idea of sifting through big data online for such linguistic cues as something to run with. In fact, contextual searches already exist and often are used by agencies to determine where someone might live or have lived, gone to school, etc by the nature of their writing. In fact, recently on Studio 360 I heard a report of a computer program being created for just such a thing. It however, was also an AI project to try and get the “Turing” effect to be so acute that a person online would not know the difference between computer and human communication.

Which, brings me to another idea.. When will we see the first “psychopathic” AI out there? But I digress…

It seems to me that more and more we are being collectively mined not only for our habits, but now our emotions as well as our psychological makeups. All of this could potentially be collated from numerous sources (not just out of the context of language but also click behavior etc) Remember those days in college when you took Psych 101 and thought the professor was just messing with you and taking notes? Well, I have the same feeling now with the internet in general and the companies and governments using it for contextual purposes.

I doubt though, we will ever be able to contextualize the human psyche just from internet datum… And that is where I think this talk is headed… And thus, I had to speak my peace. I will have another post on my thoughts after the talk.. Maybe they can change my mind a bit.

Maybe not.

K.

Written by Krypt3ia

2012/07/25 at 20:14

Building A Better Anonymous: Separating The Philosophical From The Practical

with one comment

So, here’s my thing…

Ok, so here’s my thing.. This notion of building a “better” anonymous is right up front, doomed to failure. As notions go it is a very altruistic one that I think Brian and Josh have thought about quite a bit, but, like many who get wrapped up in the grey areas of philosophy and semantics, they too got lost in the woods and could not see the forest for the trees in the end. Evidently Source Boston had them keynote the show with their talk on making a better, more accountable, and false flag “mostly” free Anonymous that stems from their series of “Building a Better Anonymous“, a series that I actually helped with a bit in the background (shhh don’t tell anyone.. oops) 

The case that they make is an interesting one but from my point of view fails to deal with the concept of human nature that will inevitably be the downfall of any such association, group, collective, or whatever else you would like to call it. Human nature, (i.e. the problem between the chair and the keyboard) will always win out because, you guessed it, we are “human” and we have foibles, wants, desires, and of course and ego. These things all make us do things that are counter to the best laid plans of mice and men (aka a charter of standards and behaviors) and will, in the end, cause some to draw outside the lines of acceptable practice.

This means bad actions from bad actors within the fold.. Or, as in the case of the flawed idea of “Anonymous” as an action, will allow for bad actors to take up the nome de plume of “Anonymous” and do things counter to their ideals but still leave the stench and onus on them as the Judas goat. Boiling it down to a simplistic statement for me kinda encapsulates the whole issue of “Anonymous” which means “unknown” by and of its premise, cannot at any time ever, be considered a movement/group/collective etc that will never be used as the scapegoat for bad actors. Nor will it ever mean that bad actors will never get into the fold and destroy things (like a reputation) from within.

And here’s the statement: “One cannot be Anonymous and expect to change the system for the better. If you have a problem with the system (see above poster) then you must be a known quantity”

Josh and Brian speak of charters and standards of action, but there can never truly be accountability as long as those who claim to be advocating those standards hide behind anonymity. When you are anonymous, you lack accountability and thus, the ego and other human natures allow you to do whatever you like. Speaking of human nature, let me direct you to some movie references that they make and where the human nature portion has been stripped from the argument.

The hitman/cleaner in “Léon: The Professional” had a rule; “No women. No kids.”    (Leon follows this so good on them)

In Fight Club: “The 1st rule of Fight Club is, do not talk about Fight Club”.   (Fight club spreads because people cannot shut up)

In The Transporter, “Rule #3: Never open the package.”  (You guessed it.. HE OPENED THE PACKAGE!)

So, out of three examples there, one was ok. But you are seeing my drift there are you not? Human nature will be the downfall of all the grand plans and schemes we have. It’s our nature to do things in our own self interest more than follow guides or charters. If that were not the case, we would not have crime and prisons right? This is an all too convoluted space to be working in and assume that by laying down some “law” (charter) that everyone will follow it AND that the inevitable others who do not, will not affect the whole by their actions. Add to this the notion of something like Anonymous, who’s actions claim to be anything from lulz to moral actions, and you have a great swath of FAIL that will happen.

It’s all well and good to quote Hobbes, but perhaps you might want to read Plato instead?

In the end, I think it better that the use of “Philosophical Realism” be applied to this problem rather than the altruistic beliefs that have been espoused by Josh and Brian. I would also hasten to add that the cognitive dissonance, to use the turn of phrase used, of trying to contain or direct “Chaos” is just not plausible from any realistic standpoint and thus moot in my opinion. If you like a movie/book reference, lets go to one of my favorites “Jurassic Park”

Dr. Ian Malcolm: If there is one thing the history of evolution has taught us it’s that life will not be contained. Life breaks free, expands to new territories, and crashes through barriers, painfully, maybe even dangerously, but, ah, well, there it is.

What Ian is saying is very appropriate to this argument being made by the authors of “Building A Better Anonymous” In my case though, I would change life to “human nature” but, you get the point don’t you? Life is chaos and human nature is also a form of that as well. We are unpredictable animals and our actions, like those with Anonymous, are really quite unpredictable and not very controllable. Just look at what has happened since Anonymous came out, we had Lulzsec, Antisec, and now a host of others taking the model that Anonymous put out there unfinished, and have been wreaking havoc.. In the name of what really? Because they can?

No, this is a failure to launch in my opinion and Anonymous’ cat is out of the bag. The genie is out of the bottle and you cannot put it back in with a charter as the cork.

Sorry guys.

K.

Written by Krypt3ia

2012/04/18 at 15:47