I'm Cthulhu » In The News https://www.thecthulhu.com Sat, 07 Nov 2015 19:22:28 +0000 en-GB hourly 1 http://wordpress.org/?v=4.3.1 The Legality of Sharing Dumped Data https://www.thecthulhu.com/legality-of-dumped-data/ https://www.thecthulhu.com/legality-of-dumped-data/#comments Wed, 14 Oct 2015 19:15:58 +0000 https://www.thecthulhu.com/?p=191 Note: The below does contain information as indirect quotes or paraphrasing of legally privileged communications with my solicitor. I have not authorised the disclosure of legally privileged material and the below disclosures, therefore, do not constitute a right for law enforcement to snoop further privileged communications.

Over the last few months, as per my other posts, I have tried to explain my reasoning for posting leaked data. Some have claimed I haven’t thought it through, others have said I am simply reckless. I want to assure everyone that I am neither reckless nor naive in the consequences for my actions.

Having spoken to my legal team, who have already demonstrated to me their exceptional legal knowledge in defending me from legal charges, they have assured me that my position from a legal perspective is just. I have explained openly what I am doing and have made no attempts to mislead people in my actions and have also posted plenty of warnings on where my responsibility ends for anything downloaded from my mirrors.

Some possible legislation any charges could be brought up are the following:

 

The Data Protection Act 1998: As I am not covered under the definition of a data controller or handler, I am exempt from regulation under the act.

 

Computer Misuse Act 1990: This Act of Parliament introduced three offences within the scope of the act that are as follows:
1. unauthorised access to computer material, punishable by 12 months’ imprisonment and/or a fine “not exceeding level 5 on the standard scale” (since 2015, unlimited);
2. unauthorised access with intent to commit or facilitate commission of further offences, punishable by 12 months/maximum fine on summary conviction and/or 5 years/fine on indictment;
3. unauthorised modification of computer material, punishable by 12 months/maximum fine on summary conviction and/or 10 years/fine on indictment;

My initial impression was that under offences 1 and 2, I may be liable as I did not have authorisation to access or provide access to the material. However, the offences above apply only to those who took the initial data and that is where the breach of proper authority to access it took place. Subsequently, when I download data from the open internet (even if said material has been stolen when unauthorised), I am not accessing that material unlawfully. If I was to download the material from the source (i.e., directly from the Patreon or Ashley Madison servers) then that would constitute an offence.

 

Theft Act 1968: Section 22(1) provides the scope for an offence usually associated to shoplifting or buying stolen goods, usually referred to as “Handling stolen goods”. The actual offence is as follows:
“A person handles stolen goods if (otherwise than in the course of the stealing) knowing or believing them to be stolen goods he dishonestly receives the goods, or dishonestly undertakes or assists in their retention, removal, disposal or realisation by or for the benefit of another person, or if he arranges to do so.”
There is an element of me making the data available to the public being construed as the retention of stolen goods for the benefit of another person, however as I have not paid for the data or otherwise encouraged the original offence of stealing the data, and that I accessed such data through legitimate means (downloading from a public source), I have been assured that it is highly unlikely a prosecution can be brought forward under these charges.

 

I believe most angles to prosecute are covered in the above and most have good case law to back me up in the event criminal investigations are ever launched into my conduct. That said, I have been warned by my legal team of the potential repercussions in other jurisdictions. For example, he has acknowledged that while US law is not his area, he believes my actions would constitute an offence under the Computer Fraud and Abuse Act (CFAA) which is a US law. Fortunately, I am not a US citizen, nor do I ever plan to visit the US or use US infrastructure (I make a point of boycotting US products where possible). Therefore, their laws do not apply to me and they never shall, so as far as I am concerned their level of authority over me matches the authority of Ghana’s legal system or North Korea even.

All in all, I still stand by my comments on why I am willing to host the data even when it is highly controversial. In extreme circumstances, I would be willing to omit some sections of the data or even remove the data. If that ever does need to happen I will clearly explain why and what sections of data were removed. Until that day though, my work shall continue.

]]>
https://www.thecthulhu.com/legality-of-dumped-data/feed/ 4
Shoddy “Dark Web” Journalism https://www.thecthulhu.com/shoddy-dark-web-journalism/ https://www.thecthulhu.com/shoddy-dark-web-journalism/#comments Wed, 24 Jun 2015 21:25:00 +0000 https://www.thecthulhu.com/?p=147 As outlets have a history of removing content where they make some mistakes, I have made a copy of the article below:

http://thecthulhu.com/wp-content/uploads/article_biuk/index.html

The original can be found here:

http://uk.businessinsider.com/dark-web-researcher-discovers-ip-addresses-in-plain-sight-2015-6?r=US

A few days ago I complained that part of the “dark web” problem is that we often see sensationalist claims from media outlets who don’t put the time into proper research. Well, I have one excellent example of this that I was to dissect for some quite key errors.

 

“This specific forum, called the Tor Carding Forum v2, was quietly shut down, but White was still able to uncover its hosting address even though the forum currently appears to be completely shut down. “

The article on Motherboard, along the with the accompanying information on my blog and Twitter, made clear that I seized the unmasking information many months prior to publication. I intentionally placed emphasis on this fact through the use of hashes and including the original tweet, which is dated. I have not in any way been able to recover the IP address of the service since it shut down. The reason that it is published now is precisely due to the fact it is now offline.

 

“Additionally, White found another dark web marketplaceā€™s IP address: A site called Kiss Marketplace, which reportedly offered goods like illegal drugs. The IP address White posted on his website still works if you put it in any browser, meaning that the servers powering this site have ostensibly been unmasked.”

No. Again, this marketplace is now offline and has been for a few weeks according to DeepDotWeb before I published, this was an intentional action. The IP address, therefore, does not work and at this point, is obvious to me you haven’t even tried. The screenshot included on Motherboard was taken by @josephfcox several months back when I first showed him the information. We sat on the information until we deemed it safe to release.

 

“With the IP addresses of these dark web marketplaces becoming public knowledge thanks to White’s recent discoveries, the police will also be able to use this knowledge to shut down the websites if they decide to follow up on White’s findings.”

The police might be able to chase up who rented the server associated with the IP address, but at this point it is questionably useful since it is unlikely there will be remaining forensic data to extract. Furthermore, for it to stand it court it is likely they would need my testimony on how the evidence was obtained. I have made clear that I am totally unwilling to assist law enforcement at this point for how they have treated me in recent months/years.

 

“It appears that criminals are scrambling online to use these new ways to create black markets, but their lack of diligence shows.”

Speak for yourself.

]]>
https://www.thecthulhu.com/shoddy-dark-web-journalism/feed/ 0
The danger of reversing the burden of proof https://www.thecthulhu.com/the-danger-of-reversing-the-burden-of-proof/ https://www.thecthulhu.com/the-danger-of-reversing-the-burden-of-proof/#comments Thu, 29 Jan 2015 08:47:01 +0000 https://www.thecthulhu.com/?p=83 Recently in the news there is a growing trend of sexual offence related articles and in fact we have seen new legal guidance issued on the handling of alleged rape/sexual offences. While I thoroughly agree that more needs to be done to tackle unreported incidents of sexual abuse and rape, the populist tone is now shifting this to an extremely dangerous path in the justice system.

Let us take some data published by The Guardian in 2013. It states the following data:

78,000 estimated rapes
15,670 reported to the police
3,850 are “detected” by way of being charged or handed an out-of-court disposal
2,910 face court proceedings
1,070 people were convicted at court

Now this information pretty much lines up with the information used by various women’s rights groups and groups who work in organisations supporting rape victims. I thoroughly support the work these groups are doing, and although I cannot say from personal experience how well they work, I can only imagine they do serve as a great support to victims of abuse. However, in light of the new guidance being issued, we must be very careful about how such data may be abused or misinterpreted.

Let us take the figure above and simplify them to the following:

Only 1 in 5 victims reports the incident to police

I feel this figure is quite safe to take as it is close to what Rape Crisis report in their figures.

Without prejudice, I feel this question must be considered; are women as likely to make a false accusation of rape as men are to commit a rape? Given this, we must weigh the factors that could lead a false allegation to be reported which include monetary compensation, tarnishing the reputation of the male accused and garnering sympathy from friends/family.

Let’s go with the idea that women are as likely to make a false allegation of rape as a man is to rape a woman. Using the above figures, that means for every 1 in 5 actual rape victims; there will be five false allegations made (since for a false allegation to be made it must be recorded). So 1 in 6 reports to police are real allegations, with 5 in 6 being false accusations.

This means of the 15,670 reports to police; only 2,612 are real.

Let’s change the figures and assume a man is five times more likely to rape a woman as a woman is likely to make a false allegation.

This still equates to 50% of all allegations made are false.

I do not know the true distribution of true to a false allegation. But I would guess they are about equal simply because of the incentives on offer to unscrupulous women vs men who actually commit a rape offence. Both of the above would be a crime and in the interest of not prejudicing either sex, making them equal is a neutral assumption.

Even erring on the side of caution, I believe the new guidance issued poses a very serious judicial problem where the interests of justice will not be served. If men have to prove consent was given, what of those thousands who may be falsely accused? Even if not convicted in court, it is well known a social stigma will follow, and the arrest for the offence still goes on their criminal record. Once the burden of proof is shifted to the defendant, it makes the accused guilty until proven innocent.

To demonstrate why this is dangerous, let me illustrate how this principle may apply in reverse. Let us assume every report of rape which reaches trial is true, and so the 2,910 of cases that arrive at trial are true reports of rape against a woman. Of these, 1,070 people are convicted of the offence. As the case is reversed, we then notice 1,840 of the charged individuals were found not guilty. If the burden of proof were shifted to the defendant, what if all of those found not guilty made a report of falsely reporting them to the police? Then the burden of proof lay upon the original reporter to show a rape had been committed? In reference to the prior trial and the male charged being found not guilty, this is of course a ludicrous position to arrive at but under the double jeopardy principle, the individual could not be tried again for the same alleged offence. But if the role were reversed, that means for every 1,070 males convicted of an actual rape, 1,840 women would possibly also be convicted for falsely accusing a male of a rape that actually occurred.

That would mean a woman would be more likely to be convicted for reporting the crime than the perpetrator of the crime itself. This isn’t even including the reports that do not arrive at trial.

To summarise my point here, although I have provided some crude examples and figures, the most important thing to take away is this; justice is never served by reversing the burden of proof. Shifting that responsibility to the defending party may achieve more convictions. But the convictions achieved under that reversal do not mean the conviction is true. This principle applies to every aspect of a good justice system and is why we should embrace the principle of innocence until proven guilty.

Is it just to have a system appeal to our credulity and not to our skepticism on the guilt of people?

]]>
https://www.thecthulhu.com/the-danger-of-reversing-the-burden-of-proof/feed/ 0
The Prime Minister Wants To Ban Encryption? https://www.thecthulhu.com/the-prime-minister-wants-to-ban-encryption/ https://www.thecthulhu.com/the-prime-minister-wants-to-ban-encryption/#comments Thu, 15 Jan 2015 04:20:40 +0000 https://www.thecthulhu.com/?p=76 This week, the UK’s Prime Minister, David Cameron, has suggested that there should be “not means of communication [which] we cannot read”. Now of course it would be easy to see the obvious consequences of such a measure, ranging from making the UK a prime hacking target for foreign attackers to possibly driving out the tech industry from our economy. That is before I even begin to elaborate on why such a measure is against the very fabric of the “modern liberal democracy” he purports to represent.

 

However, I would first like to draw the attention of everybody to a specific phrase he used when asked to clarify what the legislation would possibly entail. In reply, he expressed the need for “more modern forms of communication” to be allowed in the UK and to be covered by such legislation. This term, I would assume, is concerning smartphone apps (a commonly cited example would be WhatsApp and iMessage) as opposed to traditional messages in SMS form and plain text emails. Speaking as somebody who has been under surveillance (and still is), I know the concern over such “encrypted communications” is certainly not a problem to handle under existing legislation. In successive raids, I have had phones searched, “data storage mediums” seized and been subject to questioning over my activities. The one common factor, they never seem to have a problem with, is searching my phone. As an iPhone user, I expect no privacy on the device and to me it is much more for checking my Twitter account on the move, taking photos, reading the news and so forth. I have no email accounts tied to it and I certainly would never enter any private information into a device I know can be easily compromised either locally or remotely. Therefore, I can only deduce if the Prime Minister was concerned about terrorists using WhatsApp or iMessage, existing legislation (requiring a court signed warrant) would cover the scenario. Resorting to compromising the privacy of everyone using such networks in the name of “security” has nothing to do with combatting terrorism, but enabling mass surveillance.

 

Then we come to how “banning encryption” would be practical. I run a series of Tor exit relays, for example, but they are based in the Netherlands and Sweden. If I am under any obligation to provide information, that will mean logging the data passing through my exits to the servers/websites being visited. Yet this information alone is not very useful since the majority of traffic will be encrypted using TLS and what plaintext information is recorded, will be that of primarily foreign citizens to the UK. This information would not even be traceable back to the original owner in any case. The design of the Tor network prevents any one group [or individual] being able to correlate the users of the network to a particular packet of traffic leaving the exits. Furthermore, as all of the maintainers of Tor are based outside the UK, UK law would not apply to them or the product, meaning the software could not be forcibly backdoored anyhow.

 

This leaves the government with a few options; to disregard the legislation and the idea of banning encryption, or to set up the Great Firewall of Airstrip One [2]. Considering the successive assaults on access to the open internet by the UK government, if such power is granted to the security services and police force, I fear for my country. I fear we will raise the next generation with no expectation of privacy and grow up in the knowledge everything done is recorded, reviewed and held on their permanent records. In that knowledge, what are we to teach about risk and exploratory behaviour? Risk is inherent in everything great and when fear holds back those who we shall inherit our world, can we expect them to build upon what we have built?

]]>
https://www.thecthulhu.com/the-prime-minister-wants-to-ban-encryption/feed/ 0