| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 5 Oct 2011 15:04:05 +1100
From: xD 0x41 <secn3t@...il.com>
To: Laurelai <Laurelai@...echan.org>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: VPN providers and any providers in general...
hmm.. yes interesting..
On the flip side would it be that hard for a malicious person who works at a
VPN provider to blame it on a customer? I don't think that's what has
happened in this case, but hypothetically what is to stop a rouge employee
from abusing the trust that a LE official might have and doctoring logs sent
to them?
Absolutely nothing :)
This is where, as i was saying... a shell owner/employee, could easily make
any police run in circles simply trying to get a decent tap on something...
this is where it gets cloudy... but, this is what is being questioned on
this threead to...
I guess we have gotten somewhere.
A. Do NOT use VPN and shell services, to commit crime
B. Do NOT commit crimes, in USA,especially those of a large-scale cyber
nature,and
C. I apprently am laurelai and, i like popcorn (both are false)
Cheers!
xd
On 5 October 2011 14:30, adam <adam@...sy.net> wrote:
> That raises a good question: could a good enough defense attorney convey
> that point to a judge well enough to get the charges dismissed? Then again,
> if they really believed a VPN service would protect them (even while
> violating their agreement with said provider) - there's probably at least
> *some* evidence on their machine implicating them. In the event that
> there's not though, I do wonder how it would play out.
>
> It'd make for a relatively easy set-up, if that were to work the way you
> suggested. You could doctor all of the logs to implicate them, and even go
> as far as to use the same software/configuration that they use. No matter
> how true their "I have no idea what you're talking about" actually is, the
> logs plus added "evidence" could likely be enough.
>
> That entire thing reminds me of something I thought about after watching
> "to catch a predator" a couple of times. You'll notice that in most cases,
> the "predators" respond the same way: they play stupid, pretend not to know
> what's going on, etc. Imagine if you knew someone in real life that worked
> at a pizza delivery place. Now also imagine that you hated said person.
>
> The "undercovers" on that show are all pretty predictable, and some of the
> tactics they use are present in every single bust. Keeping that in mind, and
> with enough research, you could easily find one of their undercovers online.
> Now imagine starting a dialogue with one of them, pretending to be the
> person who works at a pizza place (for sake of simplicity, we'll call him
> Mike). Imagine sending pictures of Mike to the undercover, talking about
> having sex with her, sending her nude pictures of "you" or other people, and
> so on.
>
> Then wait for one day that you know Mike person is working (and that you
> know undercover would be willing to meet). Figuring out the former would be
> a simple call to the pizza place "Hey [name], do you know what time Mike
> comes in today?" From there, you could tell the undercover that you'll come
> in your pizza delivery car so that no one suspects anything, so that
> she recognizes you, whatever - and tell her that you'll bring a pizza (maybe
> even go as far as to figure out her favorite kind for added "evidence").
>
> During the day, lots of pizza places only have one or two drivers present.
> You could sit outside the pizza place and wait for [other driver] to leave
> and Mike to arrive (or do something to cause [other driver] not to make it
> back to the pizza place, e.g. slashing one of his tires on a fake delivery).
> There's lots of different ideas that could be implemented, as long as the
> end result is that you can guarantee Mike will be delivering the pizza. At
> which point, you call and request a delivery to undercover's house. Mike
> shows up there, undercover invites him inside and asks him to sit down - and
> at that point, Chris Hansen comes walking out. Even though everything Mike
> would say is indeed true, it'd sound like BS if we believed he had been
> talking to the undercover for a couple of months. He'd "play stupid" and
> would be charged with felony offenses of trying to entice a child/yada yada.
>
> In that situation, even if he could somehow come up with proof that he was
> set up - no one's gonna believe a pervert. It's just something that I've
> thought about a lot, and I wonder how many others have as well (and I
> especially wonder if anyone has ever attempted it).
>
>
> On Wed, Oct 5, 2011 at 12:06 AM, Laurelai <laurelai@...echan.org> wrote:
>
>> On 10/4/2011 7:52 PM, adam wrote:
>>
>> >>Its frightening how much power judges have, and how poorly they
>> are overseen.
>>
>> Definitely agree there. Some of the civil cases are disgustingly bad,
>> due to there being no media attention and no real oversight. The civil case
>> mentioned above is a good example, and all of the excessive child support
>> orders even further that.
>>
>> On topic: I haven't read every single reply here, but from what I've
>> seen: no one has mentioned the VPN provider being held personally
>> responsible. Being that the attacks originated from machines they own, if
>> they failed to turn over user information, could it really be that difficult
>> to pin the attacks on them and convince a judge that they were responsible?
>>
>> On Tue, Oct 4, 2011 at 9:37 PM, Jeffrey Walton <noloader@...il.com>wrote:
>>
>>> On Tue, Oct 4, 2011 at 10:32 PM, adam <adam@...sy.net> wrote:
>>> >>>
>>> http://www.justice.gov/usao/eousa/foia_reading_room/usam/title9/crm00754.htm
>>> > Did you actually read the link you pasted?
>>> > [...] and "criminal penalties may not be imposed on someone who has not
>>> been
>>> > afforded the protections that the Constitution requires of such
>>> criminal
>>> > proceedings [...] protections include the right [..]
>>> > Then take a look at the actual rights being referenced. Most of which
>>> would
>>> > be violated as a result.
>>> > In response to 0x41 "This is ONCE you are actually in front, of the
>>> > judge...remember, it may take some breaking of civil liberty, for this
>>> to
>>> > happen... "
>>> > No, you're absolutely right. That's the point here. Contempt is
>>> attached to
>>> > the previous court order, there wouldn't be a new judge/new case for
>>> the
>>> > contempt charge alone. All of it is circumstantial anyway, especially
>>> due to
>>> > how much power judges actually have (in both criminal AND civil
>>> > proceedings).
>>> Its frightening how much power judges have, and how poorly they are
>>> overseen. Confer: Judge James Ware, US 9th Circuit Court (this is not
>>> a local judge in a hillbilly town).
>>>
>>> Jeff
>>>
>>
>> Also a good point.
>>
>> On the flip side would it be that hard for a malicious person who works at
>> a VPN provider to blame it on a customer? I don't think that's what has
>> happened in this case, but hypothetically what is to stop a rouge employee
>> from abusing the trust that a LE official might have and doctoring logs sent
>> to them?
>>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists