Tag Archives: crime

Tracking the Owner of Kickass Torrents

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2016/07/tracking_the_ow.html

Here’s the story of how it was done. First, a fake ad on torrent listings linked the site to a Latvian bank account, an e-mail address, and a Facebook page.

Using basic website-tracking services, Der-Yeghiayan was able to uncover (via a reverse DNS search) the hosts of seven apparent KAT website domains: kickasstorrents.com, kat.cr, kickass.to, kat.ph, kastatic.com, thekat.tv and kickass.cr. This dug up two Chicago IP addresses, which were used as KAT name servers for more than four years. Agents were then able to legally gain a copy of the server’s access logs (explaining why it was federal authorities in Chicago that eventually charged Vaulin with his alleged crimes).

Using similar tools, Homeland Security investigators also performed something called a WHOIS lookup on a domain that redirected people to the main KAT site. A WHOIS search can provide the name, address, email and phone number of a website registrant. In the case of kickasstorrents.biz, that was Artem Vaulin from Kharkiv, Ukraine.

Der-Yeghiayan was able to link the email address found in the WHOIS lookup to an Apple email address that Vaulin purportedly used to operate KAT. It’s this Apple account that appears to tie all of pieces of Vaulin’s alleged involvement together.

On July 31st 2015, records provided by Apple show that the me.com account was used to purchase something on iTunes. The logs show that the same IP address was used on the same day to access the KAT Facebook page. After KAT began accepting Bitcoin donations in 2012, $72,767 was moved into a Coinbase account in Vaulin’s name. That Bitcoin wallet was registered with the same me.com email address.

Another article.

On a technicality

Post Syndicated from Eevee original https://eev.ee/blog/2016/07/22/on-a-technicality/

Apropos of nothing, I’d like to tell you a story. I’ve touched on this before, but this is the full version. It’s the story of hypothetical small-to-medium Internet community.

Stop me if you’ve heard this one

You create a little community for a thing you like. You give it a phpBB forum or something.

You want people to be nice, so you make a couple rules. No swearing. No spamming. Don’t use all caps.

You invite your friends, and they invite their friends, and all is well and good. There are a few squabbles now and then, but they get resolved without too much trouble, and everyone more or less gets along.

One day, a new person shows up, and starts linking to their website in almost every thread. Their website mostly consists of very mean-spirited articles written about several well-known and well-liked people in the group. When people ask them to stop, they lash out with harsh insults.

So you ban them.

There is immediate protest from a number of people, most of whom you strangely don’t recognize. The person didn’t break any of the rules — how dare you ban them? They never swore. They never used all caps. They never even spammed, because technically spam is unwanted and automated, and this was a real person linking their website which is related to the thing the community is about.

You can’t think of a good counter-argument for this, so you unban them. You also add a new rule, prohibiting linking to websites.

Now the majority of the community is affected, because they can’t link their own work any more. This won’t work. You repeal the previous rule, and instead make one that limits the number of website links to one per day.

The original jerk responds by linking their website once a day, and then making other posts that link to that first post they made. They continue to be abrasive towards everyone else, but they never swear, and you’re just not sure what to do about that.

A few other people start posting, seemingly just to make fun of the rest of you, but likewise never break any of your rules.

A preposterous arms race follows, with the rules becoming increasingly nitpicky as you try to distinguish overt antagonism from mundane and innocent behavior.

After a while, you notice that many of your friends no longer come around. And there seem to be a lot more jerks than there were before. You don’t understand why. Your rules are reasonable, and you enforced them fairly, right?

But it’s not really a swear word

I’ve noticed that people really like to write rules that sound objective. Seems like a good enough idea, right? Lets everyone know exactly what the line is.

The trick is that human behavior, and especially human language, are very… squishy. We gauge each other based on a lot of unspoken context: our prior relationship, how both of us seem to be feeling, whether or not we skipped lunch today. When the same comment or action can mean radically different things in different circumstances, it’s hard to draw a fine distinction between what’s acceptable behavior and what’s not.

And rules are written in human language, which makes them just as squishy. Who decides what “swearing” is? If all caps aren’t allowed, how about 90%? Who decides what’s a slur? What, precisely, constitutes harassment? These things sound straightforward and concrete, but they can still be nitpicked to death.

We give people the benefit of the doubt and assume they’ll try to respect what we clearly mean, but there’s nothing guaranteeing that.

Have you ever tried to politely decline a request or invitation, and been asked why not? Then the other party starts trying to weasel around your reason, and now you’re somehow part of a debate about what you want? I’ve seen it happen with mundane social interactions, with freelance workers, and of course, with small online communities.

This isn’t to say that hunting for technicalities is a sign of aggressive malice; it’s human nature. We want to do a thing, we’re told me can’t because of X, and so we see X as an obstacle to overcome. Language is subjective, so it’s the easiest avenue of attack.

Fixing this in rules is a hard problem. The obvious approach is to add increasingly specific details, though then you risk catching innocent behaviors, and you can end up stuck in an almost comical game of cat-and-mouse where you keep trying to find ways to edit your own rules so you’re allowed to punish someone you’ve already passed judgment on.

I think we forget that even real laws are somewhat subjective, often hinging on intent. There are entire separate crimes for homicide, depending on whether it was intentional or accidental or due to clear neglect. These things get decided by a judge or a jury and become case law, the somewhat murky extra rules that aren’t part of formal law but are binding nonetheless.

(In an awkward twist, a lot of communities — especially very large platforms! — don’t explain their reasoning for punishing any particular behavior. That somewhat protects them from being “but technically“-ed, but it also means there’s no case law, and no one else can quite be sure what’s expected behavior.)

That’s why I mostly now make quasirules like “don’t be a dick” or “keep your vitriol to your own blog“. The general expectation is still clear, and it’s obvious that I reserve the right to judge individual cases — which, in the case of a small community, is going to happen anyway. Let’s face it: small communities are monarchies, not democracies.

I do have another reason for this, which is based on another observation I’ve made of small communities. I’ve joined a few where I didn’t bother reading the rules, made some conversation, never bothered anyone, and then later discovered that I’d pretty clearly violated a rule. But no one ever pointed it out, and perhaps no one even noticed, because I wasn’t being a dick.

So I concluded that, for a smaller community, the people who need the rules are likely to be people who you don’t want around in the first place. And “don’t be a dick” covers that just as well.

Evaporative cooling

There are some nice people in the world. I mean nice people, the sort I couldn’t describe myself as. People who are friends with everyone, who are somehow never involved in any argument, who seem content to spend their time drawing pictures of bumblebees on flowers that make everyone happy.

Those people are great to have around. You want to hold onto them as much as you can.

But people only have so much tolerance for jerkiness, and really nice people often have less tolerance than the rest of us.

The trouble with not ejecting a jerk — whether their shenanigans are deliberate or incidental — is that you allow the average jerkiness of the community to rise slightly. The higher it goes, the more likely it is that those really nice people will come around less often, or stop coming around at all. That, in turn, makes the average jerkiness rise even more, which teaches the original jerk that their behavior is acceptable and makes your community more appealing to other jerks. Meanwhile, more people at the nice end of the scale are drifting away.

And this goes for a community of any size, though it may take more jerks to significantly affect a very large platform.

It’s still hard to give someone the boot, though, because it just feels like a really harsh thing to do to someone, especially for an abstract reason like “preserving the feel of the community”. And a jerk is more likely to make a fuss about being made to leave, which makes it feel like a huge issue — whereas nice people generally leave very quietly, and you may not even notice until several of them have been gone for a while.

There’s a human tendency to measure peace as though it were the inverse of volume: the louder people get, the less peaceful it is. We then try to optimize for the least arguing. I’m sure you’ve seen this happen before: someone in a group points out that the group is doing something destructive, that causes an argument, and then onlookers blame the person who pointed out the problem for causing the argument to happen. You can probably think of some pretty high-profile examples in some current events.

(You may relatedly enjoy the tale of the missing stair.)

Have you ever watched one of those TV shows where a dude comes in to berate restaurant owners for all the ridiculous things they’ve been doing? One of the most common defenses is: “well, no one complained“.

In the age of the Internet, where it seems like everyone is always complaining about something, it’s easy to forget that by and large people don’t complain. Sure, they might complain on their Twitter or to their friends or whatever, but chances are, they won’t complain to you. Consider: either you’re aware of the problem and have failed to solve it, or you’re clueless for not noticing. Either way, complaining won’t help anything; it’ll just cause conflict, making them that person who “caused” an argument by pointing out the obvious.

Gamification

Some people are aware of the technicality game on some level, and decide to play it — deliberately. Maybe to get their way; maybe just for fun.

These are people who think “it’d be a shame if something happened to it” is just the way people talk. Layered thick with multiple levels of irony, cloaked in jokes and misdirection, up to its eyeballs in plausible deniability, but crystal clear to the right audience.

It’s a game that offers them a massive advantage, because even if you both know you’re playing it, they have much more experience. Oh, and chances are they don’t even truly care about whether they’re banned or not, so they have nothing to lose — whereas you’re stuck with an existential crisis, questioning everything you believe about free speech and community management, while your nicest peers sneak out the back door.

I remember a time when someone in a community I helped run decided they didn’t like me. They started making subtle jabs, and eventually built up to saying the most biting and personal things they could think to say. Those things weren’t true, but they didn’t know that, and they phrased everything in such a way that their friends could rationalize them as not really trying to be cruel. And they had quite a lot of friends in the community, which put me in a pretty awkward position. How do I justify banning them, if a significant number of people are sure they’re innocent? Am I fucking crazy for seeing this glaring pattern when no one else does?

I did eventually ban them, but it contributed to a complete schism where most of the more grating people left to form their own clubhouse. Win/win?

Or let’s say, hypothetically, that some miscreant constructs a fake tweet screenshot. It’s shared by a high-profile person and spreads like wildfire.

Should either of them be punished? Which one, and why? The faker probably regarded it as a harmless joke; if not for the sharer, it would’ve remained one. Yet the sharer’s only crime was being popular. Did the sharer know it was fake? Was the sharer trying to inflict harm, draw attention to troubling behavior, or share something that made them laugh? Are the faker and the sharer the same person? If you can’t be sure either way, does it matter?

What if, instead of the thing you may be thinking about, the forgery depicted Donald Trump plagiarizing Barack Obama’s tweet congratulating Michelle Obama for her speech? Does that change any of the answers?

This is really difficult in extremely large groups, where you most want to avoid doling out arbitrary punishment, yet where people who play this game can inflict the most damage. The people who make and enforce the rules may not even be part of the group any more, and certainly can’t form an impression of every individual person in the group, so how can anything be enforced consistently? How do you account for intention, sarcasm, irony, self-deprecating humor? How do you explain this clearly without subjecting yourself to an endless deluge of technicalities? You could refuse to explain yourself at all, of course, but then you leave yourself open for people to offer their own explanations: you’re a tyrant who bans anyone who contradicts you, or you hated them for demographic reasons, or you’re just plain irrational and do zany cruel things to people around you on a whim.

I don’t have any good answers

I’m not sure there are any. Corralling people is a tricky problem. We still barely know how to do it in meatspace groups of half a dozen, let alone digital groups numbering in the hundreds of millions.

Our current approaches kinda suck, though.

Welcome Intern Aaron!

Post Syndicated from Yev original https://www.backblaze.com/blog/welcome-intern-aaron/

Aaron

The newest intern to join the Marketing ranks is Aaron! He’s a high school student who’s just dipping his toes in the fantastical world of startups. He’ll be helping us work on our spreadsheets and making sure that all of our campaigns are properly cataloged and accounted for. Lets learn a bit more about Aaron shall we?

What is your Backblaze Title?
I’m a marketing intern working for Yev.

Where are you originally from?
I’m from the East Bay, and I’ve lived there my whole life.

What attracted you to Backblaze?
My dad, Andy Klein, joined Backblaze in 2012, and I’ve been hearing from him about the amazing growth of the company ever since. I originally wanted to join because I wanted to diversify my experience, get better with technology, and I was broke (the best motivator). Now, after being here for about a week, I have new reasons why I really appreciate working here. I feel, even if I am just a lowly marketing intern, I am doing so much more, because Backblaze is a small business that’s always growing bigger. Also, this company provides a service that anyone can relate to and that everyone needs, because everyone has data, and I think that’s special. Also, the free food. Food is always a plus.

What do you expect to learn while being at Backblaze?
I expect to learn how to work with spreadsheets, how to evaluate and work off raw data, and how the mysterious worlds of marketing and business work.

Where else have you worked?
Last summer, I worked as a catering server at Palmdale Estates in Fremont. It’s closed now, but they hosted A LOT of weddings there.

What’s your dream job?
My dream job is becoming a crime fighting vigilante, but my parents said no, so I’m going to settle for becoming a marine biologist or some other type of biologist.

Favorite place you’ve traveled?
My favorite place of traveled to was Australia. My family and I went to Sydney, Cairns, and the Australian outback. It was the most amazing trip I’ve ever done.

Favorite hobby?
I have a few, but my top two are building and flying model rockets with my friends and doing improv comedy shows for my school.

Star Trek or Star Wars?
Both are amazing shows, you can’t make me decide. They are unique in their own special ways, but I think they would be better as one. Captain Kirk with a lightsaber would be formidable.

Coke or Pepsi?
The old-style coca-cola that’s made in Mexico would beat Pepsi any day.

Favorite food?
Banana cream pie is one of my favorites, but I try to avoid it and only eat it for very special occasions.

Why do you like certain things?
I like to do things that will give me the opportunity to learn more and to help other people. I’m always looking to develop myself, learn new things, and try things I may be terrible at. Even if I end up being really, REALLY bad at something, I will learn from those experiences the most.

Anything else you’d like you’d like to tell us?
My current career plan here at Backblaze is to work my way to becoming a responsible and respectable intern for Yev, and then, when no when is expecting it, I will engineer a magnificent coup-d’etat and overthrow Yev, becoming Supreme Ruler of Marketing.

Someone on the marketing team that wants to overthrow me? He’ll fit right in!

The post Welcome Intern Aaron! appeared first on Backblaze Blog | Cloud Storage & Cloud Backup.

Security Effectiveness of the Israeli West Bank Barrier

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2016/07/security_effect.html

Interesting analysis:

Abstract: Objectives — Informed by situational crime prevention (SCP) this study evaluates the effectiveness of the “West Bank Barrier” that the Israeli government began to construct in 2002 in order to prevent suicide bombing attacks.

Methods — Drawing on crime wave models of past SCP research, the study uses a time series of terrorist attacks and fatalities and their location in respect to the Barrier, which was constructed in different sections over different periods of time, between 1999 and 2011.

Results — The Barrier together with associated security activities was effective in preventing suicide bombings and other attacks and fatalities with little if any apparent displacement. Changes in terrorist behavior likely resulted from the construction of the Barrier, not from other external factors or events.

Conclusions — In some locations, terrorists adapted to changed circumstances by committing more opportunistic attacks that require less planning. Fatalities and attacks were also reduced on the Palestinian side of the Barrier, producing an expected “diffusion of benefits” though the amount of reduction was considerably more than in past SCP studies. The defensive roles of the Barrier and offensive opportunities it presents, are identified as possible explanations. The study highlights the importance of SCP in crime and counter-terrorism policy.

Unfortunately, the whole paper is behind a paywall.

Note: This is not a political analysis of the net positive and negative effects of the wall, just a security analysis. Of course any full analysis needs to take the geopolitics into account. The comment section is not the place for this broader discussion.

Visiting a Website against the Owner’s Wishes Is Now a Federal Crime

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2016/07/visiting_a_webs.html

While we’re on the subject of terrible 9th Circuit Court rulings:

The U.S. Court of Appeals for the 9th Circuit has handed down a very important decision on the Computer Fraud and Abuse Act…. Its reasoning appears to be very broad. If I’m reading it correctly, it says that if you tell people not to visit your website, and they do it anyway knowing you disapprove, they’re committing a federal crime of accessing your computer without authorization.

Password Sharing Is Now a Crime

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2016/07/password_sharin_1.html

In a truly terrible ruling, the US 9th Circuit Court ruled that using someone else’s password with their permission but without the permission of the site owner is a federal crime.

The argument McKeown made is that the employee who shared the password with Nosal “had no authority from Korn/Ferry to provide her password to former employees.”

At issue is language in the CFAA that makes it illegal to access a computer system “without authorization.” McKeown said that “without authorization” is “an unambiguous, non-technical term that, given its plain and ordinary meaning, means accessing a protected computer without permission.” The question that legal scholars, groups such as the Electronic Frontier Foundation, and dissenting judge Stephen Reinhardt ask is an important one: Authorization from who?

Reinhardt argues that Nosal’s use of the database was unauthorized by the firm, but was authorized by the former employee who shared it with him. For you and me, this case means that unless Netflix specifically authorizes you to share your password with your friend, you’re breaking federal law.

The EFF:

While the majority opinion said that the facts of this case “bear little resemblance” to the kind of password sharing that people often do, Judge Reinhardt’s dissent notes that it fails to provide an explanation of why that is. Using an analogy in which a woman uses her husband’s user credentials to access his bank account to pay bills, Judge Reinhardt noted: “So long as the wife knows that the bank does not give her permission to access its servers in any manner, she is in the same position as Nosal and his associates.” As a result, although the majority says otherwise, the court turned anyone who has ever used someone else’s password without the approval of the computer owner into a potential felon.

The Computer Fraud and Abuse Act has been a disaster for many reasons, this being one of them. There will be an appeal of this ruling.

How Una Got Her Stolen Laptop Back

Post Syndicated from Andy Klein original https://www.backblaze.com/blog/how-una-found-her-stolen-laptop/

Lost Laptop World Map

Reading Peter’s post on getting your data ready for vacation travels, reminded me of a story we recently received from a Backblaze customer. Una’s laptop was stolen and then traveled the over multiple continents over the next year. Here’s Una’s story, in her own words, on how she got her laptop back. Enjoy.

Pulse Incident Number 10028192
(or: How Playing Computer Games Can Help You In Adulthood)

One day when I was eleven, my father arrived home with an object that looked like a briefcase made out of beige plastic. Upon lifting it, one realized it had the weight of, oh, around two elephants. It was an Ericsson ‘portable’ computer, one of the earliest prototypes of laptop. All my classmates had really cool and fashionable computer game consoles with amazing names like “Atari” and “Commodore”, beautifully vibrant colour displays, and joysticks. Our Ericsson had a display with two colours (orange and … dark orange), it used floppy discs that were actually floppy (remember those?), ran on DOS and had no hard drive (you had to load the operating system every single time you turned on the computer. Took around 10 minutes). I dearly loved this machine, however, and played each of the 6 games on it incessantly. One of these was “Where In The World Is Carmen Sandiego?” an educational game where a detective has to chase an archvillain around the world, using geographical and cultural references as clues to get to the next destination. Fast forward twenty years and…

It’s June 2013, I’m thirty years old, and I still love laptops. I live in Galway, Ireland; I’m a self-employed musician who works in a non-profit music school so the cash is tight, but I’ve splashed out on a Macbook Pro and I LOVE IT. I’m on a flight from Dublin to Dubai with a transfer in Turkey. I talk to the guy next to me, who has an Australian accent and mentions he’s going to Asia to research natural energy. A total hippy, I’m interested; we chat until the convo dwindles, I do some work on my laptop, and then I fall asleep.

At 11pm the plane lands in Turkey and we’re called off to transfer to a different flight. Groggy, I pick up my stuff and stumble down the stairs onto the tarmac. In the half-light beside the plane, in the queue for the bus to the terminal, I suddenly realize that I don’t have my laptop in my bag. Panicking, I immediately seek out the nearest staff member. “Please! I’ve left my laptop on the plane – I have to go back and get it!”

The guy says: “No. It’s not allowed. You must get on the bus, madam. The cabin crew will find it and put it in “Lost and Found” and send it to you.” I protest but I can tell he’s immovable. So I get on the bus, go into the terminal, get on another plane and fly to Dubai. The second I land I ring Turkish Air to confirm they’ve found my laptop. They haven’t. I pretty much stalk Turkish Air for the next two weeks to see if the laptop turns up, but to no avail. I travel back via the same airport (Ataturk International), and go around all three Lost and Found offices in the airport, but my laptop isn’t there amongst the hundreds of Kindles and iPads. I don’t understand.

As time drags on, the laptop doesn’t turn up. I report the theft in my local Garda station. The young Garda on duty is really lovely to me and gives me lots of empathy, but the fact that the laptop was stolen in airspace, in a foreign, non-EU country, does not bode well. I continue to stalk Turkish Airlines; they continue to stonewall me, so I get in touch with the Turkish Department for Consumer Affairs. I find a champion amongst them called Ece, who contacts Turkish Airlines and pleads on my behalf. Unfortunately they seem to have more stone walls in Turkey than there are in the entire of Co. Galway, and his pleas fall on deaf ears. Ece advises me I’ll have to bring Turkish Airlines to court to get any compensation, which I suspect will cost more time and money than the laptop is realistically worth. In a firstworld way, I’m devastated – this object was a massive financial outlay for me, a really valuable tool for my work. I try to appreciate the good things – Ece and the Garda Sharon have done their absolute best to help me, my pal Jerry has loaned me a laptop to tide me over the interim – and then I suck it up, say goodbye to the last of my savings, and buy a new computer.

I start installing the applications and files I need for my business. I subscribe to an online backup service, Backblaze, whereby every time I’m online my files are uploaded to the cloud. I’m logging in to Backblaze to recover all my files when I see a button I’ve never noticed before labelled “Locate My Computer”. I catch a breath. Not even daring to hope, I click on it… and it tells me that Backblaze keeps a record of my computer’s location every time it’s online, and can give me the IP address my laptop has been using to get online. The records show my laptop has been online since the theft!! Not only that, but Backblaze has continued to back up files, so I can see all files the thief has created on my computer. My laptop has last been online in, of all the places, Thailand. And when I look at the new files saved on my computer, I find Word documents about solar power. It all clicks. It was the plane passenger beside me who had stolen my laptop, and he is so clueless he’s continued to use it under my login, not realizing this makes him trackable every time he connects to the internet.

I keep the ‘Locate My Computer” function turned on, so I’m consistently monitoring the thief’s whereabouts, and start the chapter of my life titled “The Sleep Deprivation and The Phonebill”. I try ringing the police service in Thailand (GMT +7 hours) multiple times. To say this is ineffective is an understatement; the language barrier is insurmountable. I contact the Irish embassy in Bangkok – oh, wait, that doesn’t exist. I try a consulate, who is lovely but has very limited powers, and while waiting for them to get back to me I email two Malaysian buddies asking them if they know anyone who can help me navigate the language barrier. I’m just put in touch with this lovely pal-of-a-pal called Tupps who’s going to help me when… I check Backblaze and find out that my laptop had started going online in East Timor. Bye bye, Thailand.

I’m so wrecked trying to communicate with the Thai bureaucracy I decide to play the waiting game for a while. I suspect East Timor will be even more of an international diplomacy challenge, so let’s see if the thief is going to stay there for a while before I attempt a move, right? I check Backblaze around once a week for a month, but then the thief stops all activity – I’m worried. I think he’s realized I can track him and has stopped using my login, or has just thrown the laptop away. Reason kicks in, and I begin to talk myself into stopping my crazy international stalking project. But then, when I least expect it, I strike informational GOLD. In December, the thief checks in for a flight from Bali to Perth and saves his online check-in to the computer desktop. I get his name, address, phone number, and email address, plus flight number and flight time and date.

I have numerous fantasies about my next move. How about I ring up the police in Australia, they immediately believe my story and do my every bidding, and then the thief is met at Arrivals by the police, put into handcuffs and marched immediately to jail? Or maybe I should somehow use the media to tell the truth about this guy’s behaviour and give him a good dose of public humiliation? Should I try my own version of restorative justice, contact the thief directly and appeal to his better nature? Or, the most tempting of all, should I get my Australian-dwelling cousin to call on him and bash his face in? … This last option, to be honest, is the outcome I want the most, but Emmett’s actually on the other side of the Australian continent, so it’s a big ask, not to mention the ever-so-slightly scary consequences for both Emmett and myself if we’re convicted… ! (And, my conscience cries weakly from the depths, it’s just the teensiest bit immoral.) Christmas is nuts, and I’m just so torn and ignorant about course of action to take I … do nothing.

One morning in the grey light of early February I finally decide what to do. Although it’s the longest shot in the history of long shots, I will ring the Australian police force about a laptop belonging to a girl from the other side of the world, which was stolen in airspace, in yet another country in the world. I use Google to figure out the nearest Australian police station to the thief’s address. I set my alarm for 4am Irish time, I ring Rockhampton Station, Queensland, and explain the situation to a lovely lady called Danielle. Danielle is very kind and understanding but, unsurprisingly, doesn’t hold out much hope that they can do anything. I’m not Australian, the crime didn’t happen in Australia, there’s questions of jurisdiction, etc. etc. I follow up, out of sheer irrational compulsion rather than with the real hope of an answer, with an email 6 weeks later. There’s no response. I finally admit to myself the laptop is gone. Ever since he’s gone to Australia the thief has copped on and stopped using my login, anyway. I unsubscribe my stolen laptop from Backblaze and try to console myself with the thought that at least I did my best.

And then, completely out of the blue, on May 28th 2014, I get an email from a Senior Constable called Kain Brown. Kain tells me that he has executed a search warrant at a residence in Rockhampton and has my laptop!! He has found it!!! I am stunned. He quickly gets to brass tacks and explains my two options: I can press charges, but it’s extremely unlikely to result in a conviction, and even if it did, the thief would probably only be charged with a $200 fine – and in this situation, it could take years to get my laptop back. If I don’t press charges, the laptop will be kept for 3 months as unclaimed property, and then returned to me. It’s a no-brainer; I decide not to press charges. I wait, and wait, and three months later, on the 22nd September 2014, I get an email from Kain telling me that he can finally release the laptop to me.

Naively, I think my tale is at the “Happy Ever After” stage. I dance a jig around the kitchen table, and read my subsequent email from a “Property Officer” of Rockhampton Station, John Broszat. He has researched how to send the laptop back to me … and my jig is suddenly halted. My particular model of laptop has a lithium battery built into the casing which can only be removed by an expert, and it’s illegal to transport a lithium battery by air freight. So the only option for getting the laptop back, whole and functioning, is via “Sea Mail” – which takes three to four months to get to Ireland. This blows my mind. I can’t quite believe that in this day and age, we can send people to space, a media file across the world in an instant, but that transporting a physical object from one side of the globe to another still takes … a third of a year! It’s been almost a year and a half since my laptop was stolen. I shudder to think of what will happen on its final journey via Sea Mail – knowing my luck, the ship will probably be blown off course and it’ll arrive in the Bahamas.

Fortunately, John is empathetic, and willing to think outside the box. Do I know anyone who will be travelling from Australia to Ireland via plane who would take my laptop in their hand luggage? Well, there’s one tiny silver lining to the recession: half of Craughwell village has a child living in Australia. I ask around on Facebook and find out that my neighbour’s daughter is living in Australia and coming home for Christmas. John Broszat is wonderfully cooperative and mails my laptop to Maroubra Police Station for collection by the gorgeous Laura Gibbons. Laura collects it and brings it home in her flight hand luggage, and finally, FINALLY, on the 23rd of December 2014, 19 months after it’s been stolen, I get my hands on my precious laptop again.

I gingerly take the laptop out of the fashionable paper carrier bag in which Laura has transported it. I set the laptop on the table, and examine it. The casing is slightly more dented than it was, but except for that it’s in one piece. Hoping against hope, I open up the screen, press the ‘on’ button and… the lights flash and the computer turns on!!! The casing is dented, there’s a couple of insalubrious pictures on the hard drive I won’t mention, but it has been dragged from Turkey to Thailand to East Timor to Indonesia to Australia, and IT STILL WORKS. It even still has the original charger accompanying it. Still in shock that this machine is on, I begin to go through the hard drive. Of course, it’s radically different – the thief has deleted all my files, changed the display picture, downloaded his own files and applications. I’m curious: What sort of person steals other people’s laptops? How do they think, organize their lives, what’s going through their minds? I’ve seen most of the thief’s files before from stalking him via the Backblaze back-up service, and they’re not particularly interesting or informative about the guy on a personal level. But then I see a file I haven’t seen before, “ free ebook.pdf ”. I click on it, and it opens. I shake my head in disbelief. The one new file that the thief has downloaded onto my computer is the book “How To Win Friends And Influence People”.

A few weeks later, a new friend and I kiss for the first time. He’s a graphic designer from London. Five months later, he moves over to Ireland to be with me. We’re talking about what stuff he needs to bring when he’s moving and he says “I’m really worried; my desktop computer is huge. I mean, I have no idea how I’m going to bring it over.” Smiling, I say “I have a spare laptop that might suit you…”

[Editor: The moral of the story is make sure your data is backed up before you go on vacation.]

The post How Una Got Her Stolen Laptop Back appeared first on Backblaze Blog | Cloud Storage & Cloud Backup.

Crowdsourcing a Database of Hotel Rooms

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2016/06/crowdsourcing_a.html

There’s an app that allows people to submit photographs of hotel rooms around the world into a centralized database. The idea is that photographs of victims of human trafficking are often taken in hotel rooms, and the database will help law enforcement find the traffickers.

I can’t speak to the efficacy of the database, but it’s an interesting crowdsourced approach to the problem.

Fraudsters are Buying IPv4 Addresses

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2016/06/fraudsters_are_.html

IPv4 addresses are valuable, so criminals are figuring out how to buy or steal them.

Hence criminals’ interest in ways to land themselves IP addresses, some of which were detailed this week by ARIN’s senior director of global registry knowledge, Leslie Nobile, at the North American Network Operators Group’s NANOG 67 conference.

Nobile explained that criminals look for dormant ARIN records and try to establish themselves as the rightful administrator. ARIN has 30,556 legacy network records, she said, but a validated point of contact for only 54 per cent of those networks. The remaining ~14,000 networks are ripe for targeting by hijackers who Nobile said are only interested in establishing legitimacy with ARIN so they can find a buyer for unused IPv4 addresses possessed by dormant legacy networks.

Criminals do so by finding dormant ARIN records and Whois data to see if there is a valid contact, then ascertaining if IPv4 allocations are currently routed. If the assigned addresses are dark and no active administrator exists, hijackers can revive dormant domain names or even re-register the names of defunct companies in order to establish a position as legitimate administrators of an address space. If all goes well, the hijackers end up with addresses to sell.

Video presentation here.

Situational Awareness and Crime Prevention

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2016/06/situational_awa.html

Ronald V. Clarke argues for more situational awareness in crime prevention. Turns out if you make crime harder, it goes down. And this has profound policy implications.

Whatever the benefits for Criminology, the real benefits of a greater focus on crime than criminality would be for crime policy. The fundamental attribution error is the main impediment to formulating a broader set of policies to control crime. Nearly everyone believes that the best way to control crime is to prevent people from developing into criminals in the first place or, failing that, to use the criminal justice system to deter or rehabilitate them. This has led directly to overuse of the system at vast human and economic cost.

Hardly anyone recognizes–whether politicians, public intellectuals, government policy makers, police or social workers–that focusing on the offender is dealing with only half the problem. We need also to deal with the many and varied ways in which society inadvertently creates the opportunities for crime that motivated offenders exploit by (i) manufacturing crime-prone goods, (ii) practicing poor management in many spheres of everyday life, (iii) permitting poor layout and design of places, (iv) neglecting the security of the vast numbers of electronic systems that regulate our everyday lives and, (v) enacting laws with unintended benefits for crime.

Situational prevention has accumulated dozens of successes in chipping away at some of the problems created by these conditions, which attests to the principles formulated so many years ago in Home Office research. Much more surprising, however, is that the same thing has been happening in every sector of modern life without any assistance from governments or academics. I am referring to the security measures that hundreds, perhaps thousands, of private and public organizations have been taking in the past 2-3 decades to protect themselves from crime.

Case 223: Hidden Costs

Post Syndicated from The Codeless Code original http://thecodelesscode.com/case/223

As punishment for
implementing an unusual solution to a problem,
the nun Satou had been ordered by master Banzen
to pose motionless in the entryway of his office
each day, pretending to be a coat stand.

Each new visitor that entered would invariably look about
with puzzlement and ask what should be done with their coat.
The master would then point wordlessly to Satou.
Eventually the visitor would comprehend.

When one hundred visitors had come and gone, Banzen asked his
apprentice whether she had served his guests well.

Satou replied, “Not one coat lay crumpled on the floor,
dampened a chair, or burdened its owner.”

Banzen shook his head and ordered the nun to continue
her services.

When another hundred visitors had come and gone, Banzen again
asked his apprentice whether she had served his guests well.

Satou replied, “I stole from each.”

Banzen raised an eyebrow and asked, “What did you steal?”

“Alas!” cried Satou. “Now I have stolen from you as well!”

Banzen smiled and released the nun from her duties.

Qi’s commentary

Until this tale makes sense, I have stolen from you as well.
Alas, I know no better way to keep you from a life of crime.

Qi’s poem

Satou built a clock that lost a minute a day.
She hung it where forty million monks could see.
The next day she was sentenced to beheading—
The nun could not deny that she had stolen a life.

Poland and the United States: all that begins must end

Post Syndicated from Michal Zalewski original http://lcamtuf.blogspot.com/2015/07/poland-and-united-states-wrapping-up.html

With my previous entry, I wrapped up an impromptu series of articles that chronicled my childhood experiences in Poland and compared the culture I grew up with to the American society that I’m living in today. For the readers who want to be able to navigate the series without scrolling endlessly, I wanted to put together a quick table of contents. Here it goes.

The entry that started it all:

Oh, the places you won’t go:

Poland (and Europe) vs the United States:

And now, back to the regularly scheduled programming...

Poland and the United States: all that begins must end

Post Syndicated from Michal Zalewski original http://lcamtuf.blogspot.com/2015/07/poland-and-united-states-wrapping-up.html

With my previous entry, I wrapped up an impromptu series of articles that chronicled my childhood experiences in Poland and compared the culture I grew up with to the American society that I’m living in today. For the readers who want to be able to navigate the series without scrolling endlessly, I wanted to put together a quick table of contents. Here it goes.

The entry that started it all:

Oh, the places you won’t go:

Poland (and Europe) vs the United States:

And now, back to the regularly scheduled programming...

A bit more on firearms in the US

Post Syndicated from Michal Zalewski original http://lcamtuf.blogspot.com/2015/06/a-bit-more-on-firearms-in-us.html

This is the fifth article in a short series about Poland, Europe, and the United States. To explore the entire series, start here.

Perhaps not surprisingly, my previous blog post sparked several interesting discussions with my Polish friends who took a more decisive view of the social costs of firearm ownership, or who saw the Second Amendment as a barbaric construct with no place in today’s world. Their opinions reminded me of my own attitude some ten years ago; in this brief follow-up, I wanted to share several data points that convinced me to take a more measured stance.

Let’s start with the basics: most estimates place the number of guns in the United States at 300 to 350 million – that’s roughly one firearm per every single resident. In Gallup polls, some 40-50% of all households report having a gun, frequently more than one. The demographics of firearm ownership are more uniform than stereotypes may imply; there is some variance across regions, political affiliations, and genders – but for most part, it tends to fall within fairly narrow bands.

An overwhelming majority of gun owners cite personal safety as the leading motive for purchasing a firearm; hunting and recreation activities come strong second. The defensive aspect of firearm ownership is of special note, because it can potentially provide a very compelling argument for protecting the right to bear arms even if it’s a socially unwelcome practice, or if it comes at an elevated cost to the nation as a whole.

The self-defense argument is sometimes dismissed as pure fantasy, with many eminent pundits citing one questionable statistic to support this view: the fairly low number of justifiable homicides in the country. Despite its strong appeal to ideologues, the metric does not stand up to scrutiny: all available data implies that most encounters where a gun is pulled by a would-be victim will not end with the assailant getting killed; it’s overwhelmingly more likely that the bad guy would hastily retreat, be detained at gunpoint, or suffer non-fatal injuries. In fact, even in the unlikely case that a firearm is actually discharged with the intent to kill or maim, somewhere around 70-80% of victims survive.

In reality, we have no single, elegant, and reliable source of data about the frequency with which firearms are used to deter threats; the results of scientific polls probably offer the most comprehensive view, but are open to interpretation and their results vary significantly depending on sampling methods and questions asked. That said, a recent meta-analysis from Centers for Disease Control and Prevention provided some general bounds:


“Defensive use of guns by crime victims is a common occurrence, although the exact number remains disputed (Cook and Ludwig, 1996; Kleck, 2001a). Almost all national survey estimates indicate that defensive gun uses by victims are at least as common as offensive uses by criminals, with estimates of annual uses ranging from about 500,000 to more than 3 million.”

An earlier but probably similarly unbiased estimate from US Dept of Justice puts the number at approximately 1.5 million uses a year.

The CDC study also goes on to say:


“A different issue is whether defensive uses of guns, however numerous or rare they may be, are effective in preventing injury to the gun-wielding crime victim. Studies that directly assessed the effect of actual defensive uses of guns (i.e., incidents in which a gun was “used” by the crime victim in the sense of attacking or threatening an offender) have found consistently lower injury rates among gun-using crime victims compared with victims who used other self-protective strategies.”

An argument can be made that the availability of firearms translates to higher rates of violent crime, thus elevating the likelihood of encounters where a defensive firearm would be useful – feeding into an endless cycle of escalating violence. That said, such an effect does not seem to be particularly evident. For example, the United States comes out reasonably well in statistics related to assault, rape, and robbery; on these fronts, America looks less violent than the UK or a bunch of other OECD countries with low firearm ownership rates.

But there is an exception: one area where the United States clearly falls behind other highly developed nations are homicides. The per-capita figures are almost three times as high as in much of the European Union. And indeed, the bulk of intentional homicides – some 11 thousand deaths a year – trace back to firearms.

We tend to instinctively draw a connection to guns, but the origins of this tragic situation may be more elusive than they appear. For one, non-gun-related homicides happen in the US at a higher rate than in many other countries, too; Americans just seem to be generally more keen on killing each other than people in places such as Europe, Australia, or Canada. In addition, no convincing pattern emerges when comparing overall homicide rates across states with permissive and restrictive gun ownership laws. Some of the lowest per-capita homicide figures can be found in extremely gun-friendly states such as Idaho, Utah, or Vermont; whereas highly-regulated Washington D.C., Maryland, Illinois, and California all rank pretty high. There is, however, fairly strong correlation between gun and non-gun homicide rates across the country – suggesting that common factors such as population density, urban poverty, and drug-related gang activities play a far more significant role in violent crime than the ease of legally acquiring a firearm. It’s tragic but worth noting that a strikingly disproportionate percentage of homicides involves both victims and perpetrators that belong to socially disadvantaged and impoverished minorities. Another striking pattern is that up to about a half of all gun murders are related to or committed under the influence of illicit drugs.

Now, international comparisons show general correlation between gun ownership and some types of crime, but it’s difficult to draw solid conclusions from that: there are countless other ways to explain why crime rates may be low in the wealthy European states, and high in Venezuela, Mexico, Honduras, or South Africa; compensating for these factors is theoretically possible, but requires making far-fetched assumptions that are hopelessly vulnerable to researcher bias. Comparing European countries is easier, but yields inconclusive results: gun ownership in Poland is almost twenty times lower than in neighboring Germany and ten times lower than in Czech Republic – but you certainly wouldn’t able to tell that from national crime stats.

When it comes to gun control, one CDC study on the topic concluded with:


“The Task Force found insufficient evidence to determine the effectiveness of any of the firearms laws or combinations of laws reviewed on violent outcomes.”

This does not imply that such approaches are necessarily ineffective; for example, it seems pretty reasonable to assume that well-designed background checks or modest waiting periods do save lives. Similarly, safe storage requirements would likely prevent dozens of child deaths every year, at the cost of rendering firearms less available for home defense. But for the hundreds of sometimes far-fetched gun control proposals introduced every year on federal and state level, emotions often take place of real data, poisoning the debate around gun laws and ultimately bringing little or no public benefit. The heated assault weapon debate is one such red herring: although modern semi-automatic rifles look sinister, they are far more common in movies than on the streets; in reality, all kinds of rifles account only for somewhere around 4% of firearm homicides, and AR-15s are only a tiny fraction of that – likely claiming about as many lives as hammers, ladders, or swimming pools. The efforts to close the “gun show loophole” seem fairly sensible at the surface, too, but are of similarly uncertain merit; instead of gun shows, criminals depend on friends, family, and on more than 200,000 guns that stolen from their rightful owners every year. When breaking into a random home yields a 40-50% chance of scoring a firearm, it’s not hard to see why.

Another oddball example of simplistic legislative zeal are the attempts to mandate costly gun owner liability insurance, based on drawing an impassioned but flawed parallel between firearms and cars; what undermines this argument is that car accidents are commonplace, while gun handling mishaps – especially ones that injure others – are rare. We also have proposals to institute $100 ammunition purchase permits, to prohibit ammo sales over the Internet, or to impose a hefty per-bullet tax. Many critics feel that such laws seem to be geared not toward addressing any specific dangers, but toward making firearms more expensive and burdensome to own – slowly eroding the constitutional rights of the less wealthy folks. They also see hypocrisy in the common practice of making retired police officers and many high-ranking government officials exempt from said laws.

Regardless of individual merits of the regulations, it’s certainly true that with countless pieces of sometimes obtuse and poorly-written federal, state, and municipal statutes introduced every year, it’s increasingly easy for people to unintentionally run afoul of the rules. In California, the law as written today implies that any legal permanent resident in good standing can own a gun, but that only US citizens can transport it by car. Given that Californians are also generally barred from carrying firearms on foot in many populated areas, non-citizen residents are seemingly expected to teleport between the gun store, their home, and the shooting range. With many laws hastily drafted in the days after mass shootings and other tragedies, such gems are commonplace. The federal Gun-Free School Zones Act imposes special restrictions on gun ownership within 1,000 feet of a school and slaps harsh penalties for as little carrying it in an unlocked container from one’s home to a car parked in the driveway. In many urban areas, a lot of people either live within such a school zone or can’t conceivably avoid it when going about their business; GFSZA violations are almost certainly common and are policed only selectively.

Meanwhile, with sharp declines in crime continuing for the past 20 years, the public opinion is increasingly in favor of broad, reasonably policed gun ownership; for example, more than 70% respondents to one Gallup poll are against the restrictive handgun bans of the sort attempted in Chicago, San Francisco, or Washington D.C.; and in a recent Rasmussen poll, only 22% say that they would feel safer in a neighborhood where people are not allowed to keep guns. In fact, responding to the media’s undue obsession with random of acts of violence against law-abiding citizens, and worried about the historically very anti-gun views of the sitting president, Americans are buying a lot more firearms than ever before. Even the National Rifle Association – a staunchly conservative organization vilified by gun control advocates and mainstream pundits – enjoys a pretty reasonable approval rating across many demographics: 58% overall and 78% in households with a gun.

And here’s the kicker: despite its reputation for being a political arm of firearm manufacturers, the NRA is funded largely through individual memberships, small-scale donations, and purchase round-ups; organizational donations add up to about 5% of their budget – and if you throw in advertising income, the total still stays under 15%. That makes it quite unlike most of the other large-scale lobbying groups that Democrats aren’t as keen on naming-and-shaming on the campaign trail. The NRA’s financial muscle is also frequently overstated; it doesn’t even make it onto the list of top 100 lobbyists in Washington – and gun control advocacy groups, backed by activist billionaires such as Michael Bloomberg, now frequently outspend the pro-gun crowd. Of course, it would be better for the association’s socially conservative and unnecessarily polarizing rhetoric – sometimes veering onto the topics of abortion or video games – to be offset by the voice of other, more liberal groups. But ironically, organizations such as American Civil Liberties Union – well-known for fearlessly defending controversial speech – prefer to avoid the Second Amendment; they do so not because the latter concept has lesser constitutional standing, but because supporting it would not sit well with their own, progressive support base.

America’s attitude toward guns is a choice, not a necessity. It is also true that gun violence is a devastating problem; and that the emotional horror and lasting social impact of incidents such as school shootings can’t be possibly captured in any cold, dry statistic alone. But there is also nuance and reason to the gun control debate that can be hard to see for newcomers from more firearm-averse parts of the world.

For the next article in the series, click here. Alternatively, if you prefer to keep reading about firearms, go here for an overview of the gun control debate in the US.