One of the very few times a police force appears to be doing something effective when it comes to cybercrime. I wish they'd do a lot more honeypot operations - a lot of cybercrime is very low-level perpetuated by kids with no/poor opsec - establishing honeypot presence on the major hacking forums where these kids congregate would do wonders. Not only will it yield actual leads for more serious cases, but would reduce crime to begin with if the markets become saturated with honeypot services in such a way that finding a real, "legit" one becomes impossible.
The UK police seem to be doing a disturbing amount of policing around what people say online.
I'm not sure if this is part of the anti immigration/brexit campaign or not, but it certainly caused me to cancel my previous idea/fantasy of living in the UK, so good job there!
No, it's not due to brexit and policies associated with the right, such as more controlled immigration.
It's due to policies on the left, and the integration of those policies into institutions that should be neutral, such as the police force, as detailed by https://freespeechunion.org/
Hey, can you please stop using HN primarily for political/ideological battle? We have to ban accounts that do that, regardless of what they're battling for or against. It's not what this site is for, and destroys what it is for.
It's the same country that did super-injunctions in the 2000s to great effect.
"In English tort law, a super-injunction is a type of injunction that prevents publication of information that is in issue and also prevents the reporting of the fact that the injunction exists at all."
The BBC is funded by the taxpayer, who rightfully expect impartiality from their presenters.
The sports presenter's comments raised questions on impartiality rules.
You can have any opinion you like, but if you're getting a large wage from an institution funded by the taxpayer, you can't use the platform like your own personal soapbox.
> The BBC is funded by the taxpayer, who rightfully expect impartiality from their presenters.
This BBC is not funded by taxation. It's funded by a subscription paid by owners of TV reception equipment. Some people who pay the licence fee also pay taxes, but some don't.
> you can't use the platform like your own personal soapbox.
Lineker didn't express his opinion on the BBC's platform. He used his personal account on Twitter, which is clearly separate from the BBC.
Whether licence-fee payers expect BBC sports presenters to refrain from expressing political opinions outside of their work for the BBC is debatable - as far as I know, nobody has consulted them in a systematic way.
> It's funded by a subscription paid by owners of TV reception equipment.
Netflix is funded by a subscription paid by owners of TV reception equipment.
The BBC is funded by a mandatory licence, i.e. a tax.
> Lineker didn't express his opinion on the BBC's platform. He used his personal account on Twitter, which is clearly separate from the BBC
Not according to the policy that Lineker agreed to, in order to work at the BBC.
> Personal Activity
> Disclaimers written in biographies such as ‘my views not the BBC’s’ provide no defence against personal expressions of opinion on social media that may conflict with BBC guidelines.
> They should not:
> express support for any political party express a view for or against any policy which is a matter of current party political debate
You conveniently ignore the fact that the guidelines you quote are specifically regarding "Individuals involved in the production or presentation of any output in News or other factual areas that regularly deal with a range of public policy issues"
> There are also others who are not journalists or involved in factual programming who nevertheless have an additional responsibility to the BBC because of their profile on the BBC. We expect these individuals to avoid taking sides on party political issues or political controversies and to take care when addressing public policy matters.
Having such a public face of the BBC hyperbolically compare government policy to those of the Nazis in 1930s Germany is inappropriate.
Except he didn't, he used his own personal twitter account. He is a contractor and there were a variety of previous presenters who did the same thing (eg. Alan Sugar vs Corbyn). Only they didn't criticise the government as Gary did and the BBC board is stacked with members of the Tory Party including the chair who arranged a finance for the previous Primeminister while applying for the role of Chair.
It was a clear case of goverment interference using the impartiality rules, only the conversation around impartiality went right above Gary to the powers that be immediately after his removal which is why he is back.
> Except he didn't, he used his own personal twitter account.
The BBC's impartiality rules cover this.
> Personal Activity
> Expressions of Opinion on Social Media
> Where individuals identify themselves as being linked with the BBC, or are programme makers, editorial staff, reporters or presenters primarily associated with the BBC, their activities on social media have the potential to compromise the BBC’s impartiality and to damage its reputation.
> Our audiences must be able to trust the integrity of BBC programmes and services and be confident that the outside activities of our presenters, programme makers and other staff do not undermine the BBC's impartiality or reputation or that their editorial decisions are not perceived to be influenced by any commercial or personal interests.
> They should not:
> state or reveal publicly how they vote or express support for any political party
> express a view for or against any policy which is a matter of current party political debate
> “I think there’s quite a lot of confusion about the extent to which the impartiality guidelines extend outside of news and extend to freelancers rather than staff, and until that’s cleared up we’re going to go on having these kinds of (problems).”
The public face of the BBC is not affected by whether or not the person is a permanent employee, but rather how prominent that person is in the organisation. It's disingenuous to suggest otherwise.
The BBC suspended Gary Lineker for a couple of day's, at the behest of the government for voicing his opinion on government policy. They subsequently appologised and he is back on air now.
The US has effectively similar laws. They can silence whistleblowers and troublemakers with National Security laws. Ladar Levison suffered under one and couldn't even tell his wife that he was getting sued by the government for hosting an encrypted mail service that Snowden used.
raiding existing services with rep and getting the owner to fold by promising leniency is a tried and true strategy, there's no reason to start from scratch.
>“Users based in the UK will be contacted by the National Crime Agency or police and warned about engaging in cyber crime."
Do people really give they actual contact details to do crimey activities ?
I'm not a cybercriminal so I don't know about these sites. But if I had to do something illegal, I wouldn't use my actual name.
It seems more like how you set someone up. And they release the news about this site just days before the 1st of April. Why ?
They won't be snagging professionals with this, and in this specific case I think that's fine.
I expect most of the people who'd fall for it are young or immature people, trying to get back at someone who beat them in a game or argued with them on social media. For whatever reason many of these folks see DDoSing, sending death threats and even swatting as "pranks" instead of crimes. A friendly reminder that doing this stuff can get them in serious trouble could nip that behavior in the bud before something tragic happens.
But the same systemic weakness that enables Swatting can be exploited here. Specifically that the government assumes good faith. Instead of sending a SWAT team to your house I can sign up for a DDoS in your name.
Apart from people (hopefully) not using their real names to make the ddos request, I would guess the investigation is done by a tech department rather than non specialist officers.
I don't think non technical people could pursue the investigation at all. I'm technical but not in that specialism so I'd have to do some studying just to get started.
Do you really imagine a patrol cop gets given a computer and told to 'find the suspect'? The legislators have someone else write what they put their name to, so that's not comparable.
Depends entirely on how the police reacts, but it could as well lead to them confiscating all of your computers and putting you in a jail.
Of course, swatting is worse. An on-demand terrorist attack by phone call is hard to top. But this one can be pretty bad too. Well, or maybe not, because it's not the starting evidence that makes it bad.
Assuming the legal system uses it as a teaching exercise. For some reason I feel like it's going to be used to throw the book at people who would be better served by guidance / opportunities instead.
From what I've heard on DarkNet Diaries, the UK courts seem quite good at picking up intelligent youngsters involved in hacking and giving them a chance to move into cybersecurity.
The UK has a few pretty good schemes (e.g. Cyber Prevent) that try to intervene and stop young people before they get landed with a criminal record for (lower level) cyber crime - at one point the average age at time of arrest was 17.
> Do people really give they actual contact details to do crimey activities ?
On one hand we could say that anything helps: if they catch the stupid ones, that's still great. One the other hand, that may be all they're after, if they're compensated or promoted based on cases solved. "Last quarter we caught 120 criminals in our clever snare". That looks very nice on a report so it maybe be that's all they're happy doing.
Cheaters always seem to think they are in the right with what they are doing. I don't see why booters (kicking people off of p2p multiplayer games) would even realize that they are doing a crime, much less doing something wrong. It's just another variety of cheating.
Yes, the "genpop" indulging in casual crimey activities are shockingly lax about basic opsec.
I did some work consulting for the NCA a few years back (they're a very weird mix of some extremely tech-competent folks, and some parts total luddite) scraping "dark web" forums looking for high-value law enforcement targets -- and it was ludicrously simple to identify "retail" participants who were, for example, trying to buy credit card/bank info dumps,
FWIW unless there was some sort of big metrics-driven or politically motivated push, these retail-type small fry were generally ignored in favour of trying to identify and trace down more organised efforts.
I heard a story from a cybersecurity pro that their former spouse worked for US intelligence. The spouse signed up for a message board for people who were trying to land a job at the CIA. The spouse had to use a credit card to sign up. The site was a honeypot by the CIA.
I've fallen for that scam four times now, and had to work for a few years each time before I felt like attempting to fall victim to the same scam again.
The pay is barely satisfactory, but sets a decent precedent for a scam at least.
Admittedly, however, I never needed to give out credit card details, just bank account.
You would be surprised, a lot of people have bad opsec when it comes to doing stuff online. When it comes to booting it usually also usually involves kids and teens doing stuff like trying to take down minecraft servers, and a lot of them don't consider such details.
I remember reading about a guy who set up a fake hitman for hire site and got people all the time contacting him to whack their spouses or whatever, and would provide all the needed details. If the people persisted, he'd pass them onto the police.
> Despite the claims made by founder Guido Fanelli, RentAHitman.com does not actually comply with the privacy laws as sort forth in the Hitman Information Privacy & Protection Act of 1964 (also known as HIPPA).
That is hilarious. I’ve always wondered what HIPPA was, now I know. ;)
I'm pretty sure the identification will be by IP and possibly email address, similar to how bittorrent seeders are identified for copyright infringement.
> Do people really give they actual contact details to do crimey activities ?
You'd hope not, but lots of people do when it comes to piracy. Private trackers often require accounts and interviews which can cause someone to leave a pretty extensive digital trail if they aren't careful including a clear record of everything they uploaded and when.
With an established TCP connection? Yes? It is. That’s not really spoofing, it’s proxying. For starters, it’s more effort than the majority of these DDoS kiddies are going to. And let’s not be the perfect be the enemy of the good. When the cops rock up and tell Mum that little Johnny has been running amuck online, he’s going to shit his britches and fess up immediately.
I trust that law enforcement knows the pattern with this one.
I don't think the need to be able to buy DDoS without getting caught is the most compelling argument. Do you think being able to packet people is a social good?
It's been used by hacktivists before, although people can already pay with bitcoin or other anonymous forms of payment anyway, so even if you accept the DoS as a valid form of protest (and I'm not sold on that personally) we don't really need any new crypto system
Organic, home-grown DDOS attacks with dozens to thousands of people using home-internet grade connection, such as the infamous 4-chan LOIC, can reasonably be compared to a form of protest. Loudly blocking the way into a business is pretty common among strikers.
For profit DDOS attacks using significantly stolen bandwidth from compromised machines are clearly a different thing entirely. Where you draw the line between them is a discussion topic.
I don't want my personal morals to control what others can pay for.
The current system of thought is to make it harder for Peter to buy a coffee in the morning to try and stop Paul from paying for DDOS traffic.
Decouple it the way that WhatsApp decoupled itself from the problem of three letter agencies wanting to know message contents with E2EE.
As it stands, if some hedge fund doesn't like your product it can pressure VISA to stop letting people to buy it. And that's it game over. It doesn't need to be legally wrong, or even morally wrong. Just don't what some rich dude wants going on.
Almost all crypto at this point can be linked back to a person since it’s mostly bought through a few large exchanges that the government has complete insight into.
The only way for it to not be traced outside of monero and maybe a few others that have no adoption is buy in cash in person and transfer it to a never before used address. Mine it yourself and never mix it with your other funds.
Dropping your cynical take, and for reasons other than buying illegal services, bitcoin plus strong privacy tools provides a path towards eventually separating money payments from identity.
Money is a form of speech, in that it communicates values. Sometimes freedom of speech requires strong anonymity. I see no reason money shouldn't have the same characteristics. The alternative---that governments and other entities get to surveil all our monetary speech/actions---will only have further chilling effects on freedom and civil society.
We need monetary privacy to preserve ordered freedom in society, not to buy criminal services.
That is a fair point; I think many people will agree on "statement of problem" - pornography is a quick example which is a perfectly legal activity but a) may be privacy-demanding and b) payment methods are being denied based on... not legal requirements :).
Cash was nice - fairly anonymous. Digital anonymity seems to be harder. Currently, Crypto to the best of my understanding is not necessarily the solution - it is extremely trackable inside the system, and vulnerable at the edges of the system.
If I saw that page (and the screenshot is accurate), I would assume it's fake. It looks like a fake ad straight out of the mid 00's. Those "The FBI has your location" type ads.
Yes, but these sites target morons; the sort of people who buy DDoS attacks using identifiable details and IP addresses and pay with traceable payment methods.
Interesting to see the UK taking the lead on this - anecdotally one of the premier game studios in the UK (Jagex) has had long standing issues with their MMORPG worlds getting knocked offline by DDoS tools like these, as well as individual players.
A lot of infrastructure struggles under basic scaling situations, much less coordinated attacks on specific endpoints.
The VC move would be to cut out the middleman, Jagex can sell a service that DDoSs itself; pay enough and they'll take down a world; pay more, they bring it back up.
I wonder why they chose to tell the users when they registered, instead of waiting? Could they have gone ahead and let them place orders for DDOS attacks, to capture more proof of the users' criminal intent, or would that count as entrapment? Someone who 'merely' registered could try to claim that they were a researcher, but if you hit the button to DDoS someone, that's going to be more difficult to deny responsibility for.
[Edit: Now that's making me imagine a disgruntled user suing the NCA for breach of contract: "I paid money for a DDoS and they didn't provide the service!"]
Unless the UK is very different, it shouldn't be entrapment to let them try to buy it. IANAL, but in the US, entrapment as a defense requires "the defendant's lack of predisposition to engage in the criminal conduct".
Which, by the way, is absolute bullcrap. A classic example is an undercover telling people at a methadone clinic that they've been cut off because of a paperwork snafus and begging people to share their legally prescribed methadone so they don't go into withdrawal. Because anyone at a clinic treating drug use has a predisposition to use illegal drugs, it can't be entrapment.
Your sentence is confusing because of the unclear use of "they". It sounds like in this case an undercover cop would come to someone asking for their controlled drugs and you're arguing that it should be entrapment.
If a citizen approaches an undercover cop and offers to sell their controlled substances that isn't entrapment.
If an undercover cop approaches someone and asks to purchase their controlled substances that should be entrapment.
Police shouldn't be able to ask you if you want to commit a crime, it muddies the water of intent. If the police hadn't initiated the crime by asking, would the citizen still have still done the illegal thing?
Standing up a honeypot is different. If someone is actively searching for a good or service and initiates contact with the honeypot, intent is clear.
For me, part of this is "give an inch they take a mile." Letting police ask you to commit a crime is an inch. Then the police get convincing with lines like "my babies are at home, we cant make rent and I cant afford formula. I'm trying to get clean anyways, can I sell you my 8ball for some cash? No no, I can't accept charity. No no, I don't have anything else to sell." Perhaps the citizen doesn't do drugs, has no intention of doing drugs, and is foolish enough to think they can give this person cash and toss the drugs in the nearest trash can once out of sight. Instead they're getting handcuffed because a police officer pulled at their heartstrings and tricked them into "buying drugs."
So, any conviction that starts off with "that guy over there is my dealer", then the cop goes over and asks to buy drugs, the dealer flashes open his coat, those should be thrown out for entrapment?
To put it politely, No thanks. I'd prefer it to keep working as it does.
The undercover cop is asking people for controlled prescription drugs. The cop claims they have a medical need and a prescription. The cop says the only reason they can't get the meds legally is one of the standard system errors that delay getting drugs in this country.
Let's call the person giving the drugs Sally. If Sally has a previous conviction for drug-related crimes this isn't entrapment. If Sally has no criminal record it is entrapment and she walks free. I think she should walk free regardless, i.e. it's always entrapment.
It's relatively readable, it's probably enough to note that a "stay" means that a trial will not proceed (at all).
A quote from that section:
"Police conduct which brings about state-created crime is unacceptable and improper, and to prosecute in such circumstances would be an affront to the public conscience. However, if the accused already had the intent to commit a crime of the same or a similar kind, and the police did no more than give him the opportunity to fulfil his existing intent, that is unobjectionable."
I suspect the idea was to discourage instead of entrap/punish. I guess I'm also curious about the rationale, was it a strategic decision, a humane one, or a legal one? All of the above?
Maybe as simple as the action being illegal and since they are not providing the advertised service then no crime is committed? I don't know how broadly applicable this is but in at least one state the local drinking laws boil down to 'you will not serve minors', perhaps something similar here.
It probably would also help with investigations too. If Joe Bloggs tried to sign up to attack bobsforum.com, got warned off by one of these services, and then a couple weeks later bobsforum.com had an actual attack, they’re probably going to knock on Joe Bloggs’ door first.
Probably deliberate, for most a warning and a stern phone call will probably be enough to convince them not to try it again so if preventing crime rather than getting convictions is your goal then it's done its job.
It wouldn't be entrapment unless the NCA was proactively coercing people into placing orders. (you can't have a contract for something illegal so there'd be no right of action)
Besides entrapment, I could imagine that they do genuinely want to increase awareness that it's illegal (meh, "in the majority of countries"). It's more about discouraging people from using such services so they're likely not looking to prosecute the, so far, several thousand people who have tried to sign up for the services.
They probably monitored the communities that talk about these services and figured that suspicions were growing. Also if you say that there are more services out there, then it makes people think twice.
> According to U.S. federal prosecutors, the use of booter and stresser services to conduct attacks is punishable under both wire fraud laws and the Computer Fraud and Abuse Act
My understanding is that a person can be convicted of wire fraud even if no victim was actually defrauded; simply the use- or forseeable use- of interstate wire communication infrastructure by the perpetrator in some grander scheme to 'defraud' (which is a sweeping definition) can be used to convict.
Wire fraud is one of those catch-all crimes, like money laundering, that you can fit to any case without a clear victim or statuatory violation but with proof of obvious malicious/criminal intent.
Say what you want about 'booter' services, but a DDoS of a particular web presence has been a long standing weapon of dissidents/activists who want certain services taken down, even if only briefly. It's the only means of online protest we have, short of simply sending an e-mail to a hosting service asking for certain content to be taken down, or DMCA'ing them.
Edit: The real pros don't use Booter-as-a-Service sites, they infect a bunch of IoT devices using tools they made themselves and hammer a specific IP or range of IPs.
