What concerns me about the bogus Walter O'Brien story is twofold: (1) Gullible reporters simply repeat his claims without even the slightest bit of skepticism, which is just shameful reporting and (2) O'Brien and his friends aren't just making a TV show: they're trying to spin the TV show (which, as far as we can tell has close to no basis in reality) into a way to promote O'Brien's "business" with claims that are wholly unbelievable -- in that, literally, I don't think most of the claims are true. It worries me that some people will take the TV show's inflated claims at face value and think that throwing gobs of money O'Brien's way will get them the clearly exaggerated solutions the show is pitching.
Last week, O'Brien appeared with Scorpion producer (and Justin Bieber manager) Scooter Braun at the "Techmanity"* conference in San Jose, and I went to the show hoping to talk to O'Brien and/or the producers of the show to see if they could help clear up the inconsistencies in his story (many of which we detailed in the original post). Instead, despite multiple requests, I was denied an opportunity to interview them before or afterward. They did appear to show up right before going on stage, and then I was told they had to leave immediately after (though, at least one other conference attendee posted a selfie with O'Brien well over an hour after O'Brien got off stage). Despite the agenda specifically promising a Q&A with O'Brien and multiple producers, there was no Q&A (and those other producers weren't even there). A microphone stand that had been present for Q&A during earlier sessions was removed prior to the panel, so it was clear that there was no intention of a Q&A at all.
Instead, there were just more questionable claims from O'Brien, on a panel moderated by Fast Company's Chuck Salter, an "award winning" reporter who didn't seem interested in challenging a single claim from O'Brien, taking them all at face value. Fast Company, which co-produced the conference, and thus, perhaps, had business reasons for suppressing all skepticism, also wrote a big article again repeating the O'Brien myth, though that article appears to have been dropped behind a paywall. O'Brien tells some of the same stories he's told before -- claiming the company only hires people with IQs over 150 and that people with high IQs have "low EQs" and they try to help them on that front. This leaves aside the whole fact that the concept of "EQ" is pretty questionable in the first place and that even IQ is a pretty limited and misleading tool, which may be useful for determining some innate problem solving skills in kids, but means little once they reach adulthood. Once you're an adult, however, IQ is somewhat meaningless. That doesn't stop O'Brien from continuing to assert that he has an IQ of 197, and multiple publications to claim that he's either the "fourth smartest man" in the world or has the "fourth highest IQ ever recorded."
As we noted in our original post, there is no public evidence that O'Brien actually even has such an IQ, let alone that it's the 4th highest ever recorded. In his Reddit AMA, Walter admits that the "4th highest" claim comes from just getting a 197 (still no proof shown) and using this table on the distribution of IQ to assume that he must be the 4th because a 197 IQ only should occur in 1 out of every 1.5 billion people, and then he estimated based on the number of people on the planet. Of course, for someone with such a high IQ, that shows a surprising lack of understanding how IQ actually works. He also notes that he took the Stanford-Binet IQ test, though he doesn't say when. If it was while he was a child (as suggested by his claim to have been "diagnosed" as a "child prodigy") then it's likely he took an earlier version of the Stanford-Binet test -- either the SBIV or the L-M, depending on when he took the exam. It seems noteworthy that modern research has noted that scales on the results of those two versions of the test should equal lower scores on the current SB5. The 197 score (assuming it's true), strongly suggests he took the L-M, which used a ratio scoring system, as opposed to the IV, which was standardized. As such, it also would mean that using the deviation chart Walter uses would be inaccurate, since the ratio score wasn't based on the same scoring system (you'd think someone with such a high IQ would recognize that). And, about all that would suggest was that, at a young age, he was likely far ahead of his peers, but that's about it. Either way, the whole "4th smartest man" in the world claim is clearly ridiculous.
After some other chatter, O'Brien talks (again) about hacking NASA at age 13 (he still hasn't explained how Homeland Security came to get him at the time considering Homeland Security didn't exist and wouldn't be operating in Ireland, but details, details) and then hacking into banks at age 16. Then he says he was developing some software "image recognition software" which he notes he developed "for peaceful purposes" related to autonomous vehicles around that time "for the government and a private contracting group underneath the government" (not sure what that even means). Then he says that project got scrapped, and "the software got reused, without my permission, in the Gulf War" leading to "2600 casualties for civilians, because it was built for speed over accuracy." He notes that he "took that pretty hard." He then says he "didn't talk to anyone for about 18 months, I became scared of my own abilities."
I can't see how any of that is even close to accurate. The timing of the first Gulf War would have coincided with Walter being in high school, which matches his story about being recruited by the non-existent DHS, but even if he was developing image recognition software at the time, from Ireland, for the US government (really?), the idea that even after his project would be scrapped that he'd then be told (as an Irish high schooler) that the same software was misused leading to 2,600 casualties? That's not happening.
That leads to a discussion about how his company, Scorpion Computer Services came about. He claims he was just being asked to do usual computer things -- set up computers, install operating systems, set up printers, etc and the business just grew -- to the point that he was doing work on "localization." Of course, to some extent much of that might be accurate, and Walter's own LinkedIn page suggests he was working on a bunch of fairly straightforward (i.e., no "genius IQ" required) projects around localization. This is further supported by the "references" page on the Scorpion Computer Services website, which is basically just a bunch of reference letters from the late 90s referring to what appear to be fairly mundane computer jobs he held -- often with fairly muted praise. My favorite is this one in which a development manager merely "confirms" that Walter O'Brien worked there. Not explained is why the genius who is building amazing image recognition software for the US military is now working on Word Basic and Visual Basic for projects in Ireland... and apparently desperate for references to get a new job. Something doesn't add up. And of course, Walter still posts this letter from Steven Messino, claiming Messino is a "co-founder of Sun Microsystems." Yet, as we noted last time, Messino joined Sun years after it was a public company, and then as a "regional sales manager."
O'Brien also leaves out the fact -- as seen on his own LinkedIn page, that he was a QA guy at The Capital Group from 2002 to through March of 2009 -- at which point, in the storyline, we're supposed to be believing that he was saving the world at Scorpion Computer Services. But, no matter, at the conference, O'Brien lists out the kinds of "projects" Scorpion was supposedly handling around this time: "Handle my divorce, put a shark tank in my office, build a casino overseas, choose winning race horses based on their DNA." I'm guessing these are plotlines for future episodes of the TV show. How much they're based in reality, well, that's anyone's guess. In past interviews, O'Brien has shied away from saying how much of the actual show is true, pretending that he can't really reveal it. Yet here, he at least suggests that the plots of the shows are almost entirely fictional (which makes sense, given the pure ridiculousness of the plots). So, for example, after a clip is shown of the TV version of Scorpion making a bunch of ridiculous assumptions to find a guy on an airplane with an analog phone turned on, O'Brien just says that "out in the desert" doing some testing they have to use "old Nokia analog phones, because it's the only thing that will pick up a signal -- so I knew that those old phones have a stronger signal." So, first of all, he seems to be admitting that the whole premise of calling the guy in the plane is made up -- it's just based on his personal experience with old analog phones out in the desert. Second, for a technical genius problem solver, he doesn't seem to have the faintest idea why analog works better out in the desert, or have much knowledge about wireless frequencies and the different ways in which analog and digital phones work. He later admits that the story of the plane flying low with the car driving under it was his "idea" (not based on reality) and that the director added the ethernet cable concept to make it "more exciting."
In other words, Walter appears to reveal that he just tosses out some ideas about technologies, and then the writers create these crazy scenarios that have almost no basis in reality (the second show appears to have been equally as unreal, focusing on a "personalized virus" that was designed for a single person. Uh, yeah).
Basically, this whole thing just continued to enforce the idea that Walter O'Brien's claims appear to be a Walter Mitty-esque imagining of the world he wants to live in, rather than one based on reality. Other stories claim that Scorpion Computer Services has "2600 people in 20 countries and over $1.3 billion in revenue" (that's from the Fast Company story). Yet, on LinkedIn I can find only 10 people who list Scorpion as an employer -- and some are merely "advisors." No, you don't expect everyone to list Scorpion or even be on LinkedIn, but 10 out of 2600 people? That's not particularly believable. Then there's the fact that the company's address is a UPS Store in Burbank, and the building shown on its website is actually a photoshopped image of the headquarters of German glass manufacturer, Glaskoch, based in Bad Driburg, Germany:
In other interviews, he's directly said -- or often coyly implied -- that his work helped "stop two wars" (at 3:09 in this video), caught the Boston bombers (though this video just says the FBI used "the kind of technology" that was developed by O'Brien -- not that he actually developed, and presents no evidence the FBI even used similar tech, let alone O'Brien's), and searched for the downed Malaysian Airlines plane, saying his software was used "to make sure the crash site wasn't tampered with."
O'Brien frequently plays up the fact that he's in the US on an EB1-1 visa, which he always notes is the "same one given to Albert Einstein and Winston Churchill." That may be true, but he makes it out like he and those two are the only ones who got this visa. Actually, thousands of people get one every year. In O'Brien's visa application he claims "he placed among the top programmers in the world in several international high-speed programming competitions, including a sixth-place finish in the 1993 Information Olympics, and first-place showings in the 1991 and 1992 Wisconsin International Computer Problem Solving Competition." Except, elsewhere reports have him coming in 90th in the 1993 Informatics Olympiad and sixth (not first) in Wisconsin. So, did he lie on his visa application too? The various companies that O'Brien is associated with have websites that are filled with gibberish rather than actually supportable claims. "We saved $43 billion in opportunity risks over a five-year period." That doesn't make any sense. "We invented an efficiency engine that performs 250 human years of work every 1.5 hrs with over 99% improvement over human error." An old, now deleted, part of the Scorpion website hilariously claimed that Scorpion Computer Services was a venture fund with $204 billion (with a b) under management. It also claims that it had a 7200% return in 1999. This was on his website in 2003 -- the very same time he was doing QA for The Capital Group. Odd. The "ScenGen" software that Walter frequently touts as being able to "exhaustively... think of" and then "execute... all user actions" appears to just be a rather straightforward system for inputting a bunch of variables and brute forcing every possible combination. The documentation on it suggests that you can solve NP-complete problems, like the traveling salesman problem, just by running every possible solution through a computer program. While you, of course, could run through all possible scenarios, that's... not a particularly useful or intelligent way to solve complex problems.
Walter has hinted that one of the reasons he "went public" now is because Wikileaks revealed some of the projects he's worked on. Indeed, there is this page on Wikileaks from the hacked and leaked Stratfor emails, showing Walter trying to reach out to the founder of Stratfor, George Friedman, in 2009 saying "we should talk" and including a PowerPoint about ScenGen... and a resume for Walter which does not mention Scorpion Computer Services (and also lists himself as a "tech specialist" at Capital Group, rather than "Tech Executive" as his LinkedIn now claims). In 2009 -- at which point we're now supposed to believe Scorpion has been in business for 25 years. Yet, the email is sent from Walter's MSN.com email address. It also says nothing of his supposed image recognition skills, but focuses on his QA, compliance and globalization work. It also includes the same 1990s press clippings that Walter promotes on his website. There doesn't appear to be any reply or any other Walter-related info on Wikileaks.
In the presentation, though, we learn that this masterful bit of programming called ScenGen is less than 200kb in size and produces output like this: The more you dig, the more of the same you find. Former co-workers of O'Brien's have shown up in comments or reached out to me and others directly -- and they all say the same thing. Walter is a nice enough guy, works hard, does a decent job (though it didn't stop him from getting laid off from The Capital Group), but has a penchant for telling absolutely unbelievable stories about his life. It appears that in just repeating those stories enough, some gullible Hollywood folks took him at his word (and the press did too), and now there's a mediocre TV show about those made up stories. Again, I'm all for fictionalized TV. And O'Brien, Braun and others associated with the show keep claiming that they're doing this to help "smart kids" not feel like outcasts (though, I'd think the success of Silicon Valley and the internet in general, is doing a much better job of that...). And that's great. But, telling highly questionable stories that seem easily debunked doesn't seem like a good way of helping people. It just feels... like a fraud.
In fact, the story continues to remind me of the similar case of Shiva Ayyadurai. In both cases, you seem to have guys who had a certain amount of fame about their computer programming prowess as teenagers, and where both of them still keep those newspaper clippings from their youth around and frequently highlight them and show them off as if it's proof that they did, in fact, amount to something great later in life even if the actual details of their lives don't quite match the hype. They both seem to cling to those predictions of their youth as if they had to come true. In both cases, they successfully convinced some folks -- notably, a gullible press -- to spin the fictionalized account as being something more. I have no problem with people exaggerating and puffing up their own stories -- that's pretty common. But when it's being used in a way to fool the press and the public and take credit where little is deserved, often with ulterior motives in mind, that seems problematic. Side note: in nearly 20 years of conference attending, Techmanity appeared to be one of the worst organized events I've ever attended. In many ways, it felt like the Walter O'Brien of conferences -- making lots of fantastical claims that didn't hold up to much scrutiny ("Silicon Valley's Biggest Annual Gathering"? Not even close. They held the "Techmanitarian Awards" which was described as an "Exclusive, VIP celebration" yet anyone could have just wandered in -- and, even then not too many people did, "the most dangerous and disruptive startups on the planet" not even close). The event organizers appeared to figure out a way to get a few famous Hollywood/music industry folks (Jared Leto, Weezer, Troy Carter, Scooter Braun, Thievery Corporation), but very few actual tech minds. The whole thing seemed designed to get as much money out of sponsors as possible, with little thought to the actual content of the event, beyond "ooh, famous people, the sponsors will love that!"
There was lots of talk about "bottom up" creations and the end of powerful top down efforts, yet almost no sessions had any interactions (only a few even had basic Q&A). The pinnacle of poor organizing was highlighted by the scheduled promise of a free showing of Brian Knappenberger's documentary on Aaron Swartz, The Internet's Own Boy, at a local movie theater in San Jose. A bunch of attendees trekked over to the theater only to be told the theater had no idea what any of us were talking about. On contacting the media relations people at the conference we were told that someone "forgot" to actually set that up, despite it being on the agenda. A bunch of angry conference-goers were left pondering what to do outside the theater. I feel particularly bad for the various startups who must have paid a pretty penny to be part of "Startlandia" a bunch of startup kiosks that went mostly ignored. Some I spoke to flew in especially for this event, expecting something with a lot more substance. Instead, they got a Potemkin Village of a tech conference.
Finally, at least the "media" side of the event was organized by Racepoint Group. I knew the name sounded familiar -- and then remembered that the CEO of Racepoint is Larry Weber, the PR "guru" behind the Shiva Ayyadurai story. I don't know if/how Racepoint is connected to the whole Scorpion thing, but at the very least, the connection is an amusing coincidence. Perhaps there's a PR business to be built in building up fake tech heroes.
Permalink | Comments | Email This Story
The latest such example seems especially troubling because no one has any idea what's fully happening, but it appears to involve Chan Luu, a jewelry and clothing retailer. The Internet Commerce Association notes that approximately 5,000 domains appear to have been seized, handed over to a private "receiver" who is now trying to sell those domains -- for no clear reason. One of the victims, Michael Berkens, who lost some of his domains, has explained what little details he's been able to find out: Overnight I received a notice that several domain names I owned were transferred by a sealed court from Verisign without notice and of course without the court order.
The domain names just were transferred by Verisign to another domain and are now listed for sale at another marketplace.
Another domainer sent me an identical notice he received overnight on domain names he owned.
The Domain names are now all owned by COURT APPOINTED RECEIVER – ROBERT OLEA and have been moved to Uniregisty as the registrar and are now listed for sale at domainnamesales.com The only information that Berkens received was the following email:
Please be advised that Verisign has changed the registrar of record for certain domain names pursuant to a ***SEALED*** court order.
The domain names identified below were affected by this action.
Alexander the Great, LLC
If you have any questions relating to these actions, please contact:
David J. Steele
Partner, Christie, Parker & Hale LLP
Adj. Professor of Law, Loyola School
18101 Von Karman Ave, Suite 1950
Irvine, CA 92612-0163
office: +1 (949) 476-0757
direct: +1 (949) 823-3232
fax: +1 (949) 476-8640
Thank you very much,
The Verisign Transfer Dispute Team””
email@example.comOthers have tracked down that it has something to do with this case, but with the details under seal, it's all a bit of a mess. Here's Phil Corwin from the Internet Commerce Association: The only other available facts that we are presently aware of are that a copy of the “Clerk’s Certification Of A Judgment To be Registered In Another District” issued by the U.S. District Court for the Central District of California in the case of Chan Luu Inc. v. Online Growth, LLC et al is available at the Justia website, and the order was registered in the Florida Middle District Court. The other defendants in the case are “Grant Shellhammer et al”. There was a considerable time lag in this proceeding, with the original judgment entered in California on May 23rd, the certification dated September 8th, and the domain transfers occurring around October 2nd. The damages granted to plaintiff are $200,000 plus interest, court costs and attorney fees; we note that there is a strong possibility that the domains transferred in this case may have an aggregate market value far in excess of that total judgment, and that is likewise disturbing. The California court document covers domains that are identical or confusingly similar to Plaintiff’s CHAN LUU mark – but we’re not sure if the domain cited by Mike in his article, RETRACTIT.COM, or any of the other transferred domains fit in that category. Chan Luu is a retailer of jewelry, accessories, and ready-to-wear clothing based in Los Angeles, and so far as can be discerned makes no commercial use of the term “retractit”, so it is unclear why that domain was covered by the court order. This is problematic on many, many levels -- and is exactly why we've been so concerned about any process that allows for domain seizures without any sense of due process. In this case, with all the details under seal and the domain owners having their websites simply ripped away from them with no explanation at all, it should raise serious questions about why courts are allowing this to occur. To take domain names away from people who aren't even parties to a lawsuit, based on a sealed document, and then to immediately put them up for resale seems sketchy beyond belief.
Permalink | Comments | Email This Story
Washington Post's Clueless Editorial On Phone Encryption: No Backdoors, But How About A Magical 'Golden Key'?
Much of the editorial engages in hand-wringing about what law enforcement is going to do when they need the info on your phone (answer: same thing they did for years before smartphones, and most of the time with smartphones as well, which is regular detective work). It even repeats the bogus use of the phrase "above the law" that FBI director James Comey bizarrely keeps repeating (hint: putting a lock on your stuff isn't making you above the law). But the real kicker is the final paragraph: How to resolve this? A police “back door” for all smartphones is undesirable — a back door can and will be exploited by bad guys, too. However, with all their wizardry, perhaps Apple and Google could invent a kind of secure golden key they would retain and use only when a court has approved a search warrant. Ultimately, Congress could act and force the issue, but we’d rather see it resolved in law enforcement collaboration with the manufacturers and in a way that protects all three of the forces at work: technology, privacy and rule of law. Did you get that? No "back door," but rather a "golden key." Now, I'm not sure which members of the Washington Post editorial board is engaged in mythical "golden key" cryptography studies, but to most folks who have even the slightest understanding of technology, they ought to have recognized that what they basically said is: "a back door is a bad idea, so how about creating a magic back door?" A "golden key" is a backdoor and a "backdoor" is a "golden key." The two are indistinguishable and the Post's first point is the only accurate one: it "can and will be exploited by bad guys, too." That's why Apple and Google are doing this. To protect users from bad guys.
In the meantime, just watch, and we'll start to see ignorant politicians and law enforcement start to echo this proposal as well, talking down "backdoors" and talking up "golden keys." The fact that we already had this debate in the 1990s, when the "golden key" was called "key escrow" and when having the government lose that was was fairly important in allowing the internet to become so useful, will apparently be lost on the talking heads.
Still, a small request for the Washington Post Editorial Board: before weighing in on a subject like this, where it's fairly clear that none of you have the slightest clue, perhaps try asking a security expert first?
Permalink | Comments | Email This Story
Morgen stemt de kamer over een nieuwe wijziging van artikel 11.7 van de Telecommunicatiewet, in de volksmond de ‘cookiewet’ genoemd. De oorspronkelijke bepaling verplichtte aanbieders van diensten in de informatiemaatschappij (zoals websites) om toestemming aan bezoekers te vragen voor het plaatsen van bestanden (zoals cookies), of het uitlezen van informatie voor het volgen van die bezoekers. Een goed principe. Het beschermt jou tegen bedrijven die zonder jouw medeweten of toestemming bijhouden wat je online allemaal doet.
In de praktijk blijkt echter dat bedrijven vaak alle cookies op één hoop gooien en toestemming vragen voor cookies in het algemeen. Vaak gepaard met vage termen als “een goed functionerende website” of “uw gebruiksgemak”. Bovendien zijn er websites die cookiewalls instellen: je mag de site alleen bezoeken als je eerst akkoord gaat. Of je gaat automatisch akkoord door de site te gebruiken. Kortom: bedrijven creëren, al dan niet expres, verwarring waardoor je als gebruiker niet weet waar je aan toe bent en geen echte keuze hebt.
Om daar iets van een oplossing voor te vinden gaat de kamer morgen stemmen over een wetswijzing. Voortaan hoeven websites geen toestemming te vragen voor cookies of andere tracking die bedoeld zijn voor analytische doeleinden en die niet of nauwelijks een effect hebben op de privacy. Ook dat is redelijk. Helaas is er in het debat een zorgelijke ontwikkeling ontstaan. Volgens minister Kamp volstaat in het algemeen ook impliciete toestemming. Websites hoeven dus eigenlijk alleen nog te informeren. Als de bezoeker van de website doorklikt is dat voldoende toestemming.
Vreemd genoeg is ook de PvdA, bij monde van kamerlid Oosenbrug, voorstander van deze impliciete toestemming. Hierdoor is er ineens een meerderheid voor de plannen van minister Kamp.
Impliciete toestemming is echter een farce. Het ontneemt de burger de controle om wel of geen toestemming te geven. Een gebruiker wordt zonder iets te doen richting toestemming gedrukt; geen echte keuze dus. In de privacyverordening en in andere privacywetgeving wordt altijd uitgegaan van uitdrukkelijke toestemming. Het is daarom heel raar dat de minister dit anders interpreteert bij online tracking.
Kees Verhoeven van D66 heeft een amendement ingediend waarbij wel wordt gevraagd om uitdrukkelijke toestemming. Dat zou recht doen aan onze privacywetgeving. Hij heeft ook een motie ingediend waarin hij de regering oproept om duidelijke informatie te geven aan bezoekers voorafgaande aan impliciete toestemming.
Wij hopen dat de PvdA er alsnog voor kiest het amendement van Verhoeven te steunen.
Daarnaast is Bits of Freedom blijkbaar uitgenodigd (we hebben formeel nog niets gehoord) om met minister Kamp om tafel te zitten en onze mening te geven over ‘uniforme meldingen’. Het is mooi dat de minister graag onze mening hoort, maar laten we hem dan herinneren aan wat we al vanaf het begin roepen: online tracking mag alleen met expliciete toestemming van de gebruiker. Dáár willen we graag met de minister over praten, niet over hoe we een slap aftreksel van die toestemming in de praktijk vorm kunnen geven.
Ever since the government first declared it had located the Silk Road server linked to Dread Pirate Roberts (Ross Ulbricht) thanks to a leaky CAPTCHA, there have been questions about the plausibility of this explanation. Ulbricht's attorneys suggested it wasn't the FBI, but rather the NSA, who tracked the Silk Road mastermind down. This suggested parallel construction, something federal agencies have done previously to obscure the origin of evidence and something the FBI actively encourages local law enforcement agencies to do when deploying cell tower spoofers.
Technical documents filed in response to discovery requests seem to solidify the parallel construction theory. Brian Krebs at Krebs on Security and Robert Graham at Errata Security have both examined the government's filings (the Tarbell Declaration [pdf]) and noted that what the government said it did doesn't match what's actually on display.
Krebs' article quotes Nicholas Weaver, a researcher at the International Computer Science Institute at Berkeley, who points out that where the FBI agents say they found the leak doesn't mesh with the server code and architecture. “The IP address listed in that file — 188.8.131.52 — was the front-end server for the Silk Road,” Weaver said. “Apparently, Ulbricht had this split architecture, where the initial communication through Tor went to the front-end server, which in turn just did a normal fetch to the back-end server. It’s not clear why he set it up this way, but the document the government released in 70-6.pdf shows the rules for serving the Silk Road Web pages, and those rules are that all content – including the login CAPTCHA – gets served to the front end server but to nobody else. This suggests that the Web service specifically refuses all connections except from the local host and the front-end Web server.”
Translation: Those rules mean that the Silk Road server would deny any request from the Internet that wasn’t coming from the front-end server, and that includes the CAPTCHA. Weaver says that FBI agents would have been served nothing at all when attempting to access the server without using Tor. The server simply wasn't leaking into the open web. The more likely explanation is that the FBI contacted the IP directly and accessed a PHPMyAdmin page.
Robert Graham's analysis of the documents notes something slightly different than Weaver, but still arrives at the same conclusion. Brian Krebs quotes Nicholas Weaver as claiming "This suggests that the Web service specifically refuses all connections except from the local host and the front-end Web server". This is wrong, the web server accept all TCP connections, though it may give a "403 forbidden" as the result. Even with this detail being off, the parallel construction theory still fits. Graham notes that the Tarbell Declaration (the filing that contains the official explanation of how the Silk Road server was accessed) is noticeably light on supporting documentation -- like screenshots, packet logs or code snippets.
Now that the government has been forced to hand over more technical documentation, it's original story is falling apart. Since the defense could not find in the logfiles where Tarbell had access the system, the prosecutors helped them out by pointing to entries that looked like the following:
184.108.40.206 - - [11/Jun/2013:16:58:36 +0000] "GET / HTTP/1.1" 200 2616 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.110 Safari/537.36"
220.127.116.11 - - [11/Jun/2013:16:58:36 +0000] "GET
=right&nocache=3988383895 HTTP/1.1" 200 41724 "http://18.104.22.168/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.110 Safari/537.36"
However, these entries are wrong. First, they are for the phpmyadmin pages and not the Silk Road login pages, so they are clearly not the pages described in the Tarbell declaration. Second, they return "200 ok" as the error code instead of a "401 unauthorized" login error as one would expect from the configuration. This means either the FBI knew the password, or the configuration has changed in the meantime, or something else is wrong with the evidence provided by the prosecutors. The NSA as the purposefully-missing link makes sense. First off, Ulbricht's back end server was located in Iceland. Graham points out basic authentication was provided by this server via Port 80. If the NSA was monitoring traffic in and out of Iceland (as it is legally able to do), it could easily have captured a password for this server.
Furthermore, the front end server (located in Germany -- also within the NSA's established dragnet) would return "forbidden" errors when accessed outside of Tor, but would not when accessing PHP files (as Weaver noted). To get to the admin page, other possibly non-NSA-related tactics could have been used. (Graham suggests a couple of different methods well within the FBI's technical grasp and abilities -- "scanning the entire Internet for SSL servers, then searching for the string "Silkroad" in the resulting webpage" or doing the same but correlating the results with traffic traveling across the Tor onion connection.) However, none of the above is suggested by Tarbell's recounting of the events. In fact, the official narrative is vague enough that almost any explanation could fit. Tarbell doesn't even deny it was parallel construction. A scenario of an NSA agent showing up at the FBI offices and opening a browser to the IP address fits within his description of events. Graham calls the declaration from Special Agent Tarbell "gibberish" (and points out that Ulbricht's opsec "sucks"). Ulbricht's legal team is still pushing for the government to explain why its declaration doesn't match the details it's handed over during discovery. A new filing by his attorney, Joshua Horowitz, isn't much kinder, calling the declaration "implausible." [pdf link] The presiding judge has given the government until the end of Monday to respond to Horowitz's filing… if it wants to. [pdf link] Defendant has submitted a declaration from Joshua Horowitz in support of his motion and request for an evidentiary hearing.
If the Government has any response to the factual statements (and/or relevance of the factual statements) asserted therein, it should file such response by C.O.B., October 6, 2014 (if possible). The government may not feel compelled to respond. A filing from earlier in September (but added to the docket on Oct. 1st) suggests it's pretty much done discussing Ulbricht's "NSA boogeyman." [pdf link] In light of these basic legal principles, the Government objects to the September 17 Requests as a general matter on the ground that no adequate explanation has been provided as to how the requested items are material to the defense. Most of the requests appear to concern how the Government was able to locate and search the SR Server. Yet the Government has already explained why, for a number of reasons, there is no basis to suppress the contents of the SR Server:
(1) Ulbricht has not claimed any possessory or property interest in the SR Server as required to establish standing for any motion to suppress;
(2) the SR Server was searched by foreign law enforcement authorities to whom the Fourth Amendment does not apply in the first instance;
(3) even if the Fourth Amendment were applicable, its warrant requirement would not apply given that the SR Server was located overseas; and
(4) the search was reasonable, given that the FBI had reason to believe that the SR Server hosted the Silk Road website and, moreover, Ulbricht lacked any expectation of privacy in the SR Server under the terms of service pursuant to which he leased the server.
Particularly given these circumstances, it is the defendant’s burden to explain how the contents of the SR Server were supposedly obtained in violation of the defendant’s Fourth Amendment rights and how the defendant’s discovery requests are likely to vindicate that claim. The defense has failed to do so, and the Government is unaware of any evidence – including any information responsive to the defense’s discovery requests – that would support any viable Fourth Amendment challenge. Instead, the defense’s discovery requests continue to be based on mere conjecture, which is neither a proper basis for discovery nor a proper basis for a suppression hearing. The response document notes that it has already responded with several documents, won't be responding to a host of other requests, but most tellingly, says the government is "not aware" of any supporting documentation for Agent Tarbell's declaration. (As noted by Robert Graham, the declaration as written is "impossible to reconstruct," with the lack of technical details being a large part of that.) 5. The name of the software that was used to capture packet data sent to the FBI from the Silk Road servers.
Other than Attachment 1, the Government is not aware of any contemporaneous records of the actions described in paragraphs 7 and 8 of the Tarbell declaration. (Please note that Attachment 1 is marked “Confidential” and is subject to the protective order entered in this matter.)
6. A list of the “miscellaneous entries” entered into the username, password, and CAPTCHA fields on the Silk Road login page, referenced in the SA Tarbell’s Declaration, at ¶ 7.
See response to request #5.
7. Any logs of the activities performed by SA Tarbell and/or CY-2, referenced in ¶ 7 of SA Tarbell’s Declaration.
See response to request #5.
8. Logs of any server error messages produced by the “miscellaneous entries”referenced in SA Tarbell’s Declaration.
See response to request #5.
9. Any and all valid login credentials used to enter the Silk Road site.
See response to request #5.
10. Any and all invalid username, password, and/or CAPTCHA entries entered on the Silk Road log in page.
See response to request #5.
11. Any packet logs recorded during the course of the Silk Road investigation, including but not limited to packet logs showing packet headers which contain the IP address of the leaked Silk Road Server IP address [22.214.171.124].
See response to request #5. Parallel construction matters, but the government claims it doesn't. It will probably continue to declare it a non-issue so long as the courts agree that Ulbricht's Fourth Amendment rights weren't violated. Ulbright's Fourth Amendment defense is admittedly a disaster, making claims that have nearly no chance of holding up under judicial scrutiny. The Silk Road indictment is a lousy test case for challenging parallel construction.
But parallel construction spills over into purely domestic investigations where Fourth Amendment rights are supposedly guaranteed. As long as the "expectation of privacy" isn't violated -- according to the government's definition of what does and doesn't enjoy this "expectation" -- the origin of the evidence isn't really up for discussion, according to the government's own filing. And what the government says here is that what was ultimately obtained matters more than how it was obtained. Parallel construction covers up invasive surveillance and investigative tactics, providing courts with evidence that looks clean but was illicitly gathered.
Permalink | Comments | Email This Story
Compare and contrast:
Product A Alerts for terms used in Chat or Texting.
Access to videos as well as web, camera and cell phone images loaded on device.
Review & delete images.
Email, Print or Save results.
View Internet History Log.
Keystroke logging. Product B View sent/received text messages.
Look at photos, videos, music stored on device.
View visited sites and bookmarks.
Alerts for suspicious words. One of these products is handed out by law enforcement agencies. One just had its creator arrested after an FBI investigation.
Product A is ComputerCOP, a deeply-flawed set of tools that allows parents to spy on their children's computer activities, provided they don't mind getting hundreds of false positives returned during searches or having passwords stored as plaintext by the built-in keylogger.
Product B is StealthGenie, a piece of software aimed at giving the inherently suspicious (or routinely cuckolded) person surreptitious access to everything on their significant other's phone. The full set of features included are astounding, including location info, email access, eavesdropping via the built-in mic and the perverse ability to lock or wipe someone else's phone.
It's not that the FBI was wrong to shut down the sale of this software, even if it does sound like the sort of thing the agency wishes it could deploy rather than terminate. It's that the law enforcement-approved tool set overlaps so heavily with something aimed at tearing the digital roof off someone else's life.
ComputerCOP -- unlike the more (necessarily) targeted StealthGenie -- doesn't ultimately care who's using the device it's installed on. You may just want to track your kids' internet activity, but anyone who uses it while it's activated will have their web history -- along with any keystrokes entered -- automatically logged. If anything, ComputerCOP is a cheap, legal alternative to StealthGenie, even if it's strictly limited to personal computers.
But one of these is being handed out by law enforcement agencies without any oversight (and with loads of misinformation). The other was the subject of a federal investigation. There's a certain amount of disconnection here, similar to law enforcement's use of encryption to protect themselves from criminals but wanting to deny the public the same option.
Just replace "StealthGenie" with "ComputerCOP" in these statements from the FBI's press release and see if it ultimately makes any difference. [h/t to Techdirt reader Will Klein] "Selling spyware is not just reprehensible, it's a crime," said Assistant U.S. Attorney General Leslie R. Caldwell. "Apps like StealthGenie are expressly designed for use by stalkers and domestic abusers who want to know every detail of a victim's personal life -- all without the victim's knowledge."
“StealthGenie has little use beyond invading a victim’s privacy” said U.S. Attorney Boente. “Advertising and selling spyware technology is a criminal offense, and such conduct will be aggressively pursued by this office and our law enforcement partners.”
“This application allegedly equips potential stalkers and criminals with a means to invade an individual’s confidential communications,” said FBI Assistant Director in Charge McCabe. “They do this not by breaking into their homes or offices, but by physically installing spyware on unwitting victims’ phones and illegally tracking an individual’s every move. As technology continues to evolve, the FBI will investigate and bring to justice those who use illegal means to monitor and track individuals without their knowledge.” Spyware is spyware, whether it's sporting a uniform and a badge or an orange jumpsuit and handcuffs.
Permalink | Comments | Email This Story