lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 4 Oct 2011 22:30:33 -0500
From: adam <adam@...sy.net>
To: Laurelai <laurelai@...echan.org>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: VPN providers and any providers in general...

That raises a good question: could a good enough defense attorney convey
that point to a judge well enough to get the charges dismissed? Then again,
if they really believed a VPN service would protect them (even while
violating their agreement with said provider) - there's probably at least *
some* evidence on their machine implicating them. In the event that there's
not though, I do wonder how it would play out.

It'd make for a relatively easy set-up, if that were to work the way you
suggested. You could doctor all of the logs to implicate them, and even go
as far as to use the same software/configuration that they use. No matter
how true their "I have no idea what you're talking about" actually is, the
logs plus added "evidence" could likely be enough.

That entire thing reminds me of something I thought about after watching "to
catch a predator" a couple of times. You'll notice that in most cases, the
"predators" respond the same way: they play stupid, pretend not to know
what's going on, etc. Imagine if you knew someone in real life that worked
at a pizza delivery place. Now also imagine that you hated said person.

The "undercovers" on that show are all pretty predictable, and some of the
tactics they use are present in every single bust. Keeping that in mind, and
with enough research, you could easily find one of their undercovers online.
Now imagine starting a dialogue with one of them, pretending to be the
person who works at a pizza place (for sake of simplicity, we'll call him
Mike). Imagine sending pictures of Mike to the undercover, talking about
having sex with her, sending her nude pictures of "you" or other people, and
so on.

Then wait for one day that you know Mike person is working (and that you
know undercover would be willing to meet). Figuring out the former would be
a simple call to the pizza place "Hey [name], do you know what time Mike
comes in today?" From there, you could tell the undercover that you'll come
in your pizza delivery car so that no one suspects anything, so that
she recognizes you, whatever - and tell her that you'll bring a pizza (maybe
even go as far as to figure out her favorite kind for added "evidence").

During the day, lots of pizza places only have one or two drivers present.
You could sit outside the pizza place and wait for [other driver] to leave
and Mike to arrive (or do something to cause [other driver] not to make it
back to the pizza place, e.g. slashing one of his tires on a fake delivery).
There's lots of different ideas that could be implemented, as long as the
end result is that you can guarantee Mike will be delivering the pizza. At
which point, you call and request a delivery to undercover's house. Mike
shows up there, undercover invites him inside and asks him to sit down - and
at that point, Chris Hansen comes walking out. Even though everything Mike
would say is indeed true, it'd sound like BS if we believed he had been
talking to the undercover for a couple of months. He'd "play stupid" and
would be charged with felony offenses of trying to entice a child/yada yada.

In that situation, even if he could somehow come up with proof that he was
set up - no one's gonna believe a pervert. It's just something that I've
thought about a lot, and I wonder how many others have as well (and I
especially wonder if anyone has ever attempted it).


On Wed, Oct 5, 2011 at 12:06 AM, Laurelai <laurelai@...echan.org> wrote:

>  On 10/4/2011 7:52 PM, adam wrote:
>
> >>Its frightening how much power judges have, and how poorly they
> are overseen.
>
>  Definitely agree there. Some of the civil cases are disgustingly bad, due
> to there being no media attention and no real oversight. The civil case
> mentioned above is a good example, and all of the excessive child support
> orders even further that.
>
>  On topic: I haven't read every single reply here, but from what I've
> seen: no one has mentioned the VPN provider being held personally
> responsible. Being that the attacks originated from machines they own, if
> they failed to turn over user information, could it really be that difficult
> to pin the attacks on them and convince a judge that they were responsible?
>
> On Tue, Oct 4, 2011 at 9:37 PM, Jeffrey Walton <noloader@...il.com> wrote:
>
>>  On Tue, Oct 4, 2011 at 10:32 PM, adam <adam@...sy.net> wrote:
>> >>>
>> http://www.justice.gov/usao/eousa/foia_reading_room/usam/title9/crm00754.htm
>> > Did you actually read the link you pasted?
>> > [...] and "criminal penalties may not be imposed on someone who has not
>> been
>> > afforded the protections that the Constitution requires of such criminal
>> > proceedings [...] protections include the right [..]
>> > Then take a look at the actual rights being referenced. Most of which
>> would
>> > be violated as a result.
>> > In response to 0x41 "This is ONCE you are actually in front, of the
>> > judge...remember, it may take some breaking of civil liberty, for this
>> to
>> > happen... "
>> > No, you're absolutely right. That's the point here. Contempt is attached
>> to
>> > the previous court order, there wouldn't be a new judge/new case for the
>> > contempt charge alone. All of it is circumstantial anyway, especially
>> due to
>> > how much power judges actually have (in both criminal AND civil
>> > proceedings).
>>  Its frightening how much power judges have, and how poorly they are
>> overseen. Confer: Judge James Ware, US 9th Circuit Court (this is not
>> a local judge in a hillbilly town).
>>
>> Jeff
>>
>
>  Also a good point.
>
> On the flip side would it be that hard for a malicious person who works at
> a VPN provider to blame it on a customer? I don't think that's what has
> happened in this case, but hypothetically what is to stop a rouge employee
> from abusing the trust that a LE official might have and doctoring logs sent
> to them?
>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists