Translation: Keeping with our effort to turn this country into more of a Panopticon, and aligned with our belief that no two parties should be able to communicate privately, we hate that you can send mail mostly anonymously, and this gives us a bit more power to surveil you by making stamps unique.
I’m so sick of all this baseless negativity tbh. It almost ruins the site when any discussion about anything devolves in to “this is how the man is gonna take ur freedoms”.
> we hate that you can send mail mostly anonymously
At best 50% of the parties to the letter are known, at worst 100%. And that is with the mail sealed.
> communicate privately
There is a piece of paper between them and the contents, and they have been handed the literal envelope to deliver. That isnt much security, and not much privacy.
If you're going to make this claim, at least give a reasonable explanation as to how this deanonymisation works. Otherwise your comment is no better than "they're putting microchips in the vaccines" junk.
A simple scenario that comes to mind is that given a letter, it's now easier to tie it back to the stamp's point of sale. "Who purchased this stamp?" is a very hard question to answer in their current (essentially fungible) form. Adding barcodes makes this much easier.
This assumes that stamps are scanned when sold, to tie their barcodes to the purchaser. That may happen. It may not. But clearly the more scans a stamp gets increases the tracking resolution for a given piece of mail both after AND before mailing. This "before mailing" part is new and opens the door for a much higher level of surveillance.
Indeed it assumes the stamps are scanned upon sale. Otherwise, at best, what you obtain is "where was this stamp sold", which is completely non-identifying.
But if you think about it for more than ~10 seconds, you remember that stamps are sold in packs of 4-8 at least. They're also often sold in sheets of 50+. All this makes individual scans painful.
So you want to play the devil's advocate and make more assumptions; say, for example, "every stamp could trace back to its original pack, so only one of them needs to be scanned". But if that's the point of this panopticon move, then why put the barcode on the stamp, rather than … the pack itself?
Because you know what always gets scanned? The product's barcode. If I wanted to track people who buy stamps, I would create unique EAN13-compatible barcodes for every single pack sold, always start them with the same number space + some digits for actual different products, and voila, somewhat backwards-compatible, unique tracking on all those stamps without having to deploy a barcode on every single stamp, implement a swap-out scheme, etc.
Of course, maybe someone at GCHQ is reading my comment and thinking "fuck, why did we spend so much money on this scheme again?", but somehow I doubt it.
That doesn't make sense. What use would scanning the pack be, if the stamps themselves are not associated to the pack?
If anything all the stamps would have two ID in the barcode. One linked to the sales location (always the same) and one as a counter for the individual stamps.
That would avoid having to scan every single one.
Instead of issuing every post office, supermarket and dodgy corner store a new barcode reader which can scan the stamps themselves in order to prove the point of the original person complaining of a panopticon?
I think you missed the part where I’m making the argument against this being even sort of practical as a surveillance tool.
To give a real world example: Imagine if America had a system like this in place when the Zodiac killer was active in California. A prolific writer of letters to the press, all of Zodiac's barcode-stamped envelopes would open up new potential leads in answering questions like "when was this stamp manufactured" and "where was this stamp originally sold".
Seems like there’s an easy work around, you just buy some special issue stamps celebrating British birds or children’s TV characters or whatnot, that don’t have barcodes.
This affidavit is a laugh riot so far. Guy has a background in infosec, an holds a CISSP cert, among others. The FBI sends him crypto and what does he do?!
(1) immediately opens a KYC custodial account
(2) xfers the crypto there
(3) converts it to USD and sends it to his KYC bank in Colorado.
You can't make this stuff up. Also I love how (ostensibly either proton or tutanota) is referred to "Foreign Email Provider". They should buy ForeignEmailProvider.com and make it another email domain for their users. I would love hackerman69420@foreignemailprovider.com
One of my deep background worries is how many criminals aren't caught because they don't make amateur mistakes. You always read these indictments and the perpetrator served themselves up on a silver platter. But what about all of those unsolved crimes that might simply be unsolvable!
This is FUD, but don't discount the fact that the 'easy' path to catching this criminal could be fabricated in order to hide the real, more intense, methods used by the authorities to uncover Jareh.
Well this takes the testing of compliance with regulations to a new level though. And here I am, doing my daily and weekly chores with HoxHunt and two other Q&A websites on our compliance procedures. And these aren't intellectual questions or anything - rote memorization is what they are striving for. I wish they would just send me crypto and be done with it.
The FBI got lucky that one of their honeypot email addresses was the inbox. And then obtained records corroborating everything, such as from Kraken.
and the access logs of the top secret material from the agency's systems.
The access logs said Dalke accessed. Kraken's logs said "there were deposits of Monero in Dalke's accounts that are the exact amounts you sent Dalke, accounting for exchange rate fluctuations". Kraken's KYC records said "here's Dalke and his addresses". The UPS store he was using for an address said "Yep, Dalke keeps a drop here". The bank account connected to Kraken said "Yep, its Dalke". The setup at Union Station in Denver was for Dalke to come there between 11:30am and 3:30pm on September 28th, the affidavit ends 1 day before that, and Dalke was arrested in that exact location the next day.
okay, explain the parallel construction possibility?
he would have been emailing anyone and the compromised wires picked it up for the FBI to then begin their sting operation?
The FBI still had to do the work, but I think its also plausible that they have a bunch of honeypot email inboxes around. I think since they had to do all the communication as well as the transferring of funds that it's not really parallel construction, at least in any controversial way for evidence collection. They got additional evidence that doesn't need creating a rationale retroactively.
I'm more worried about all the criminals that are out there not being caught because we won't crack down on what they're doing, not really because they're some kind of masterminds.
> Notwithstanding these measures, MTIC fraud remains a problem for the EU. As at November 2018, calculations estimating the annual costs of the fraud range from €20 billion up to more than €100 billion (depending on methodology adopted).[21] An EU Parliament study in October 2018 found that MTIC/carousel fraud is the most damaging type of cross-border VAT fraud with an estimated €50 billion losses on average per year.
France is also hemorrhaging billions through social benefits fraud, they don't even attempt to recover most of it as they don't have the manpower
I would be extra careful about the "billions" of social fraud in France.
Wikipedia make a difference between the shortfall due to unpaid contribution (undeclared work for example) and the loss due to benefit fraud.
Different figures are given but it looks that most those "billions" are in fact shortfall and not benefit fraud.
Most criminals are never caught. There is lots more crime going on than you might think. A lot of academics and journalists present crime as 100% captured by official statistics. Prosecutors do a lot of prioritizing.
Drug crime gets a lot of attention because the statutes are written in a way that makes the crimes very easy to prove. It’s far easier to prove the elements of a drug possession charge than it is to prosecute something like fraud.
Authorities go after the lowest hanging fruit or the most visible. Targeting the most visible feeds back into peoples perception that if they commit a crime they will get caught.
The authorities are strategic in their approach but at the end of the day they are operating on finite resources.
The advantage the authorities have though is that they are playing offence. They can make plenty of mistakes and still achieve their objective.
Criminals just have to make one mistake and it can undo all the she effort they have made to mitigate risk.
This reminds me of a thought I had a few years ago. A Sheriff in my state was arresting for buying IT equipment using department funds (I think it was Cisco gear) and selling it on eBay and pocketing the cash. He had done this a bunch of times. As someone who works in local government and knows how things work here, my thought was instantly the following:
-> some gear get purchased bet never used/installed for a few years. Sits around gathering dust.
-> Sheriff sees this, takes it home sells it on eBay. Nobody notices or cares. It wasn't being used after all.
-> Sheriff finds other unused gear, takes home and sells it.
-> No valuable unused gear left, so Sheriff starts buying stuff simply so he could take it home and sell it.
-> At this point it is noticed. Seriff gets found out and arrested.
If it was just the first step, nobody would have noticed and the guy would have pocketed $20k or whatever, and no one in the world would have been the wiser. The auditors may have eventually discovered the piece missing, but long after any video recordings expired, and the original purchase was perfectly legit. But greed combined with stupidity got the guy arrested.
Only explanation I can think of is dude planned to leave the country shortly and figured he'd be gone by the time he got caught so there was no point in covering it up.
Also based on the value the crypto was Monero (and he use Kraken, which is only big US exchange that converts XMR/USD pair), so he probably didn't realize even though it is difficult to directly trace where it came via the blockchain the exact unique amount deposited on KYC exchange fucked him. A naive Monero user would probably think "impossible to find where monero came or went from, so I'm safe" not realizing they're leaking out the side-channel by depositing a unique amount on a centralized exchange.
"His resume also states that
he has specialized training with federal law enforcement related to digital forensics and incident
response, dark web investigations..."
Lol, I suppose he's guilty of lying on his resume too!
Yeah openssl CLI is so incomprehensible. And some parameters have to be configured using .conf files, ewww. The C API is hardly any better.
When I read the RFCs behind the stuff to write what I needed in Rust, suddenly it dawned on me: wow this stuff isn't nearly as complicated and horrible as openssl's interface makes it seem like.
I didn't expect the knowledge of the cli to do it immediately, this person didn't even know they could do it. "openssl dgst -sha256 filename". An answer that they'd need to check the man page would've been sufficient...
Does anyone have a tutorial on using the openssl cli? It seems to barf on some inputs if it's not exactly perfect or you miss a step in the stack overflow answer.
Honestly I would expect some to be more familiar with the hashXsum tools.
I'm guessing he fell for some internal honeypot, and that led to his immediate termination and subsequent monitoring. Then he also transmitted the honeydocs and the rest.
Sure they traced the crypto but that's not how they got him.
Automating daily Google Takeout requests is exactly the sort of behaviour that I fear would trigger an account ban at some indeterminate future date. There are just too many unknown unknowns for me with Google now. Their ecosystem is, and has been for a while, personally relegated to burner account status.
