Blog Jay Leiderman Law

The worst passwords

Here’s the list of the worst passwords. If you recognize your password on it, it’s time to rethink your password security and change your login:

  1. 123456 (Unchanged)
  2. password (Unchanged)
  3. 12345678 (Up 1)
  4. qwerty (Up 1)
  5. 12345 (Down 2)
  6. 123456789 (Unchanged)
  7. Football (Up 3)
  8. 1234 (Down 1)
  9. 1234567 (Up 2)
  10. baseball (Down 2)
  11. welcome (New)
  12. 1234567890 (New)
  13. abc123 (Up 1)
  14. 111111 (Up 1)
  15. 1qaz2wsx (New)
  16. dragon (Down 7)
  17. master(Up 2)
  18. monkey (Down 6)
  19. letmein (Down 6)
  20. login (New)
  21. princess (New)
  22. qwertyuiop (New)
  23. solo (New)
  24. passw0rd (New)
  25. starwars (New)
Password

Password complexity is critical in the age of the security breach

From Microsoft:

Although many alternatives for user authentication are available today, most users log on to their computer and on to remote computers using a combination of their user name and a password typed at their keyboard. Some retailers will configure their Point of Service terminals to auto login on boot. Some retailers will allow the user to select their own password. To make it easier to remember their passwords, users often use the same or similar passwords on each system; and given a choice, most users will select a very simple and easy-to-remember password such as their birthday, their mother’s maiden name, or the name of a relative. Short and simple passwords are relatively easy for attackers to determine. Some common methods that attackers use for discovering a victim’s password include:

  • Guessing—The attacker attempts to log on using the user’s account by repeatedly guessing likely words and phrases such as their children’s names, their city of birth, and local sports teams.
  • Online Dictionary Attack—The attacker uses an automated program that includes a text file of words. The program repeatedly attempts to log on to the target system using a different word from the text file on each try.
  • Offline Dictionary Attack—Similar to the online dictionary attack, the attacker gets a copy of the file where the hashed or encrypted copy of user accounts and passwords are stored and uses an automated program to determine what the password is for each account. This type of attack can be completed very quickly once the attacker has managed to get a copy of the password file.
  • Offline Brute Force Attack—This is a variation of the dictionary attacks, but it is designed to determine passwords that may not be included in the text file used in those attacks. Although a brute force attack can be attempted online, due to network bandwidth and latency they are usually undertaken offline using a copy of the target system’s password file. In a brute force attack, the attacker uses an automated program that generates hashes or encrypted values for all possible passwords and compares them to the values in the password file.

Each of these attack methods can be slowed down significantly or even defeated through the use of strong passwords. Therefore, whenever possible, computer users should use strong passwords for all of their computer accounts. Computers running Windows Embedded for Point of Service (WEPOS) support strong passwords.

Passwords are case-sensitive and may contain as many as 127 characters. A strong password:

  • Does not contain the user name.
  • Is at least six characters long.
  • Contains characters from three of the following four groups:

DescriptionExamples

Lowercase letters:  a, b, c,…

Uppercase letters: A, B, C,…

Numerals: 0, 1, 2, 3, 4, 5, 6, 7, 8, 9

Symbols (all characters not defined as letters or numerals)` ~ ! @ # $ % ^ & * ( ) _ + -={ } | [ ] \ : ” ; ‘ < > ? , . /

password

Change your passwords every six months to ensure continued security

Now you know.  Go get more secure.

twitter Facebooktwittergoogle_pluslinkedinmail
war on drugs

By Jay Leiderman,* originally published in the Ventura County Star on June 17, 2011, the 40th anniversary of the war on drugs. It was then titled: Unhappy 40th anniversary, war on drugs. The article has been updated.

On June 17, 1971, President Nixon started his so-called War on Drugs.

“This nation faces a major crisis in terms of the increasing use of drugs, particularly among our young people,” Nixon said. “Public enemy No. 1 in the United States is drug abuse. In order to fight and defeat this enemy, it is necessary to wage a new, all-out offensive.”

It has now been almost 44 years of the War on Drugs, a war lasting longer than almost all wars in American history combined. The winners of this war are government contractors, the law enforcement “business” and the prison industrial complex.

Since 1971, the federal government has spent almost a trillion taxpayer dollars fighting drugs. A report from the Senate Homeland Security and Governmental Affairs Committee disclosed that the government awards the majority of counter-narcotics contracts to five large defense corporations. The U.S. Government Accountability Office recently reported that the State Department does not even evaluate whether its counter-narcotics program is successful.

Our tax dollars are also being spent on the prison system and the criminal enforcement of the narcotics laws. Currently, there are 2.3 million people incarcerated in America — triple the amount in 1987 and a quantum leap over those incarcerated in 1971. An estimated 25 percent of incarcerations are for drug offenses including drug possession, drug trafficking and drug dealing.

drug war

The war on drugs has been an unmitigated disaster. Since its inception, drug use has massively increased

Americans spend nearly $70 billion a year dealing with these prisoners. The U.S. has the highest incarceration rate of any country in the entire world. Moreover, minorities are incarcerated at significantly higher rates than whites, despite the numerous studies showing whites engaging in drug use at similar or higher rates than minorities.

We cannot sustain this incarceration rate. In May, the U.S. Supreme Court acknowledged that our over-incarceration policies have produced a crisis in California prisons, where extreme overcrowding creates unconstitutional conditions mandating the release of prisoners. Justice Anthony Kennedy called California prisons “incompatible with the concept of human dignity.”

Drug war losers are the American taxpayers, drug addicts and civil liberties. The War on Drugs has not resulted in fewer drug addicts. In 2005, James Anthony, Ph.D., reported that the number of teenagers who experiment with recreational drugs is nearly equal to its peak years in the early 1970s.

Drug Enforcement Administration statistics assert the rate of addiction in the U.S. has remained constant at 1.3 percent of the population over the past 40 years. This directly contrasts with the Substance Abuse and Mental Health Services Administration’s numbers, which put drug addicts at 6.7 percent of the population today using the DSM-IV criterion (used by health care professionals, not law enforcement). The Centers for Disease Control and Prevention says drug overdoses have “risen steadily” since the early 1970s to more than 20,000 last year.

Moreover, the ACLU recently said: “Future generations will look back on the ‘war on drugs’ as a crude, barbaric and inhumane response to the social and public health problem of drug abuse. And they’ll look back with dismay at how our primitive ‘drug war’ had ugly repercussions in so many areas.

“One of those areas is the growth of government surveillance [in other words, the ushering in of the “tin foil age’]. It is a ‘war’ that takes place not on some foreign battlefield, but in the lives of Americans — their homes, cars, phones, purses and bodies — and in fighting this war the authorities have found justification for extending their power into all such realms.”

We are not safer from the problems that drugs have caused, nor are we free of drug abuse in our society. We are, however, systematically relieved of our rights to be free from intrusions into our persons, homes, effects and liberties.

After almost 44 years and nearly a trillion dollars, we have seen no success in the War on Drugs. Rather, we have only failure. Law enforcement admits that drugs today are cheaper, higher quality and more readily accessible, even to children. Casual use has either increased or remained level for 40 years, despite law enforcement’s efforts to stop drug use altogether.

We need a renewed debate about the wisdom of continuing this war as presently prosecuted. A paradigm shift is needed.

Earlier this month, the Global Commission on Drug Policy called for the legalization of some drugs and an end to the criminalization of drug users. The panel includes former world leaders and international luminaries.

If certain drugs were decriminalized, the panel stated, and the money instead spent on treatment and rehabilitation, fewer people would be incarcerated and would instead be contributing to society. Based upon the failure of a 40-year policy that is unsustainable going forward, this approach deserves serious study and discussion.

According to Sen. Claire McCaskill, D-Mo., “We are wasting tax dollars and throwing money at a problem without even knowing what we are getting in return.”

U.S. drug czar Gil Kerlikowske admitted to the Associated Press, “In the grand scheme, (the War on Drugs) has not been successful. Forty years later, the concern about drugs and the drug problem is, if anything, magnified, intensified.”

Mr. President, Mr. Governor, it’s been almost 44 years … please end the War on Drugs. America is not winning.

* Ventura County, California criminal defense lawyer and State Bar Certified Criminal Law Specialist Jay Leiderman handles all types of drug-related cases, including drug dealing, drug trafficking, drug possession, DUI, and medical marijuana cases involving the CUA or Prop 215 and SB 420 also known as the MMPA, as well as cases of all types involving the mentally ill who “self medicate” due to a lack of treatment. Jay has spent a lot of time and resources fighting against the drug war.

twitter Facebooktwittergoogle_pluslinkedinmail

What Hacking Software Out There as a result of the NSA Hack

According to NSA whistleblower Edward Snowden, a recent leak of supposedly secret NSA hacking tools reflects an escalation of tensions between Russia and the United States. For others, however, he points to concerns about what, if any, privacy is still available to the general public.

Snowden, just as the movie bearing his name was released, sent Twitter alight on Tuesday with suggestions of “Russian responsibility” in the recent release of the NSA hacking instruments, noting as well that “Russia did it” would likely be the response to the accusations of the Hillary Clinton campaign, as conventional wisdom and the best investigation results also suggest Russian hackers leaked internal Democratic National Convention emails that damaged Clinton and DNC chair Debbie Wasserman-Schultz and cast a dark cloud over the convention.

A series of tweets sent by Snowden on August 16th should get the discussion started:

Edward Snowden

Edward Snowden has done more to protect constitutional rights that anyone in recent memory. He has exposed the fact that the government has been intruding on our privacy in a shocking and despicable manner.

The hack of an NSA malware staging server is not unprecedented, but the publication of the take is. Here’s what you need to know: (1/x)

  1. NSA traces and targets malware C2 servers in a practice called Counter Computer Network Exploitation, or CCNE. So do our rivals.
  2. NSA is often lurking undetected for years on the C2 and ORBs (proxy hops) of state hackers. This is how we follow their operations.
  3. This is how we steal their rivals’ hacking tools and reverse-engineer them to create “fingerprints” to help us detect them in the future.
  4. Here’s where it gets interesting: the NSA is not made of magic. Our rivals do the same thing to us — and occasionally succeed.
  5. Knowing this, NSA’s hackers (TAO) are told not to leave their hack tools (“binaries”) on the server after an op. But people get lazy.
  6. What’s new? NSA malware staging servers getting hacked by a rival is not new. A rival publicly demonstrating they have done so is.
  7. Why did they do it? No one knows, but I suspect this is more diplomacy than intelligence, related to the escalation around the DNC hack.
  8. Circumstantial evidence and conventional wisdom indicates Russian responsibility. Here’s why that is significant:
  9. This leak is likely a warning that someone can prove US responsibility for any attacks that originated from this malware server.
  10. That could have significant foreign policy consequences. Particularly if any of those operations targeted US allies.
  11. Particularly if any of those operations targeted elections.
  12. Accordingly, this may be an effort to influence the calculus of decision-makers wondering how sharply to respond to the DNC hacks.
  13. TL;DR: This leak looks like a somebody sending a message that an escalation in the attribution game could get messy fast.

Bonus: When I came forward, NSA would have migrated offensive operations to new servers as a precaution – it’s cheap and easy. So? So…

The undetected hacker squatting on this NSA server lost access in June 2013. Rare public data point on the positive results of the leak.

You’re welcome, @NSAGov. Lots of love. (emphasis added, just for funziez)

1st Reply: Nimjeh / NoName 2016 ‏@MyTinehNimjeh  Aug 16: “Thanks for the insight, helpdesk Snowden. @Snowden @NSAGov”

TL;DR: This leak looks like a somebody sending a message that an escalation in the attribution game could get messy fast.

Thanks indeed.  Let’s move on to some further analysis.

The origin of the source code has been a matter of heated debate for weeks (notwithstanding Snowden’s tweets) and has been scrutinized at length by cyber security experts. Although it is unclear how the software was leaked, again, notwithstanding Snowden’s tweets, one thing is beyond speculation: the malware is covered from top to bottom with virtual fingerprints of the NSA and it is clearly from the agency. The hacking tools are in the possession of a group that calls themselves the Shadow Brokers.  They have put a good deal of the leaked data on the open net for public inspection.  Proof that ties the Shadow Brokers dump the NSA comes in an NSA agency manual for implanting malware that was classified as top secret.  IT was also provided by Snowden in the treasure trove of leaked material that he possessed, but, like so much of the Snowden data, it was not previously available to the public. The draft manual instructs NSA operators to monitor their use of a malware program using a specific 16-string sequence: “ace02468bdf13579.” That exact same sequence appears throughout the Shadow Brokers data and in the code associated with the same program Snowden possessed called SECONDDATE.

“SECONDDATE plays a specialized role inside a complex global system built by the U.S. government to infect and monitor what one document estimated to be millions of computers around the world. Its release by ShadowBrokers, alongside dozens of other malicious tools, marks the first time any full copies of the NSA’s offensive software have been available to the public, providing a glimpse at how an elaborate system outlined in the Snowden documents looks when deployed in the real world, as well as concrete evidence that NSA hackers don’t always have the last word when it comes to computer exploitation.”  See The Intercept: THE NSA LEAK IS REAL, SNOWDEN DOCUMENTS CONFIRM Sam Biddle; Aug. 19 2016 https://theintercept.com/2016/08/19/the-nsa-was-hacked-snowden-documents-confirm/

NSA

The tin foil age – you are no longer crazy if you think that the government is spying on you. Tin foil hats are needed more now than ever before ;)

A cache of hacking tools with code names like Epicbanana, BuzzDirection, and Egregiousblunder mysteriously appeared online in mid-August, putting the computer security world is a position where they were racing against each other attempting to ascertain both the origin and authenticity of a treasure trove, the likes of which never have been seen, all the while buzzing with speculation about whether the NSA was truly involved and what the fallout would be. The files, of course, turned out to be real.  Indeed, no doubt could be reasonable after former NSA personnel that worked in the hacking division of the agency, known as “Tailored Access Operations (TAO)” confirmed that the hacking tools were indeed authentic and had an unmistakable NSA fingerprint. “Without a doubt, they are the keys to the kingdom,” said a former TAO employee, who spoke on condition of anonymity in order to discuss sensitive internal operations. “The stuff you’re talking about would undermine the security of many large government and business networks, both here and abroad.”  Moreover; “Faking this information would be monumentally difficult, there is just such a sheer volume of meaningful stuff,”  Nicholas Weaver, a computer security researcher at the University of California at Berkeley, said in an interview. “Much of this code should never leave the NSA.”

Said a second former TAO hacker who saw the file: “From what I saw, there was no doubt in my mind that it was legitimate.”

The file contained 300 megabytes of information, including several “exploits,” or tools for taking control of firewalls in order to control a network, and a number of implants that might, for instance, exfiltrate or modify information.

The exploits are not run-of-the-mill tools to target everyday individuals. They are expensive software used to take over firewalls, such as Cisco and Fortinet, that are used “in the largest and most critical commercial, educational and government agencies around the world,” said Blake Darche, another former TAO operator and now head of security research at Area 1 Security.

In politics, as in love and war, all is fair.  War is hell.  Cyber war too is H377

The software apparently dates back to 2013 and appears to have been taken then, experts said, citing file creation dates, among other things.

“What’s clear is that these are highly sophisticated and authentic hacking tools,” said Oren Falkowitz, chief executive of Area 1 Security and another former TAO employee.

Some of the exploits were pieces of computer code that make use of “zero-day” or previously unknown errors or vulnerabilities in firewalls, which do not seem to be committed to this day took, said one of the former hackers. The disclosure of the documents means that at least one other party – possibly another country spy agency – access to the same hacking tools used had the NSA and could turn them against organizations that use vulnerable routers and firewalls. It can also see what the NSA is directed and spying. Now that the tools are public, as long as the flaws remain unpatched, other hackers can take advantage of them, too.

In a typical chickenshit government move, the NSA did not respond to requests for comment.  Why bother letting the citizens of the very nation they are … um … trying to protect(?) know what they have unleashed upon them.

NSA

Edward Snowden has been the voice guiding the masses through the often confusing world of cyber espionage

The instruments were released by the aforementioned group the Shadow Brokers using both websites such as text sharing site Pastebin and file sharing programs such as BitTorrent and DropBox. As usual in such cases, the true identity of the person who put the tools out in the public domain remains hidden. Attached to the cache was an “auction” note that purported to be selling the second set of tools to the highest bidder: “Attention!!! Government sponsors of cyber-warfare and those who benefit from it!!! How much would you pay for enemies’ cyber weapons?”

The group also said that if the auction increased all the way to 1 million Bitcoins – equal to about $500 million U.S. Dollars – it would release the second file for free to the whole world. The auction “is a joke,” says Weaver. “It’s designed to distract. It’s total nonsense.” He said that “Bitcoin is traceable so that a doctor Evil scheme of laundering $ 1 million, let alone $ 500 million, is nothing short of madness.”

One of the former TAO operators said he suspected that whoever found the tools doesn’t have everything. “The stuff they have there is super-duper interesting, but it is by far not the most interesting stuff in the tool set,” he said. “If you had the rest of it, you’d be leading off with that, because you’d be commanding a much higher rate.”

TAO, a secret unit that helped craft the digital weapon known as Stuxnet, has grown in the past decade or so from several hundred to more than 2,000 employees in the NSA’s Fort Meade, Md., Headquarters. The group dates back to early 1990. The nickname, Tailored Access Organization, suggests a precision technique that some officials compared to brain surgery.  The name also reflects how encryption whizzes make beautiful and dangerous instruments from scratch, the same way a fine tailor takes a spool of wool and fashions a custom-made suit – just computer geeks work more often in jeans and T-shirts. “We break out the Nerf guns and have epic Nerf gun fights,” said one of the former hackers.

Some former agency employees suspected that the leak was due to a mistake by an NSA operator, instead of a successful hack by a foreign government’s so-called “state sponsored hacking” agency. When NSA staff hack foreign computers, they do not move directly from their own intelligence systems to the targets’, fearing that the attack would be too easy to trace. They use a form of proxy server a “redirector” that masks the origin of hackers. They use to disallow one or more of such servers trace a trick.  One wonders if they use TOR and a commercial VPN service as well.

Looking back at Edward Snowden’s tweets at the top of this article, it is clear that the US is engaging in state-sponsored espionage.  At the same time, other state run spy services, such as Russia, are doing the same to the United States. It is not unprecedented for a TAO operator to accidentally upload a large file of out “sacred” resources to a redirector, said one of the former employees. “What is unprecedented not to realize that you made a mistake,” he said. “You would know,” Oops, I uploaded that set ‘and remove it. ”

it is clear that the US is engaging in state-sponsored espionage

Critics of the NSA have suspected that the agency, when it discovered a software vulnerability, would never disclose the issue, thereby compromising the cyber security of everyone that it is supposed to protect. This new file disclosure shows why it’s important to tell software makers when errors are detected, instead of making a secret of them, said one of the former agency employees, because now that the information is publicly available for anyone to use too many hacks using simple internet infrastructure will be testing the limits of new toys.

Snowden, Weaver and some of the former NSA hackers say they suspect Russian involvement in the release of the cache, although no one has offered hard evidence. They say the timing – in the wake of high-profile revelations from the Russian government’s state-sponsored hacking of the Democratic National Committee and other party organizations – is remarkable.

Snowden is fast becoming the go-to resource for simple answers to the complex world of cyber espionage.  HE tweeted:  It seems that “someone sending a message that” retaliation against Russia “could get messy quickly.” Hacks are always political in one way or another.  Whether you’re hacking your ex-girlfriend’s Facebook account or trying to change your grades in the school’s computer.  There is a point that you are trying to make beyond the physical act of hacking.  “I can get you.”  “I own you.”  “I win.”  In politics, as in love and war, all is fair.  War is hell.  Cyber war too is H377.

twitter Facebooktwittergoogle_pluslinkedinmail

In American jurisprudence it suffices that the testimony of one witness who is believed is sufficient for a conviction.  The Bible disagrees.  The Bible says the following in Deuteronomy 19:15, as it relates to criminal inquests and prosecutions:

“A single witness shall not suffice against a person for any crime or for any wrong in connection with any offense that he has committed. Only on the evidence of two witnesses or of three witnesses shall a charge be established.”  The Bible; English Standard Version

Bible

California allows the testimony of one witness to convict in a criminal case. The bible calls for two witnesses.

In discussing the application this provision of the bible, Matthew Henry stated: 

“19:15-21 Sentence should never be passed upon the testimony of one witness alone. A false witness should suffer the same punishment which he sought to have inflicted upon the person he accused. Nor could any law be more just. Let all Christians not only be cautious in bearing witness in public, but be careful not to join in private slanders; and let all whose consciences accuse them of crime, without delay flee for refuge to the hope set before them in Jesus Christ.”

A single witness shall not suffice

California law disagrees.  The instruction given in a trial by the Judge to the jury after the close of evidence but prior to deliberations is in direct conflict with Deuteronomy.  

CALCRIM 301. Single Witness’s Testimony

The testimony of only one witness can prove any fact. Before you conclude that the testimony of one witness proves a fact, you should carefully review all the evidence.

Bible

God’s law conflicts with man’s law. Man’s law is used in our courts and people are often convicted by witnesses providing false testimony. n

It wasn’t the idea of the law of God that one snitch could send a defendant to death row.  But in the law of man we don’t worry about such things.  A lack of proof via corroboration is one of the central problems with our justice system.  False accusations abound.  Of the people exonerated through DNA evidence, the overwhelming majority were convicted either by false testimony or mistaken eyewitness testimony.  Maybe it isn’t such a bad idea to look at the bible’s definition of witnesses necessary to convict.  If one injustice is prevented it may well be worth it.

 

 

 

twitter Facebooktwittergoogle_pluslinkedinmail

THE FRUITS OF AN ILLEGAL SEARCH OR SEIZURE ARE TAINTED AND MAY NOT BE USED AS EVIDENCE

Evidence seized as the result of a search or seizure (or an arrest) which has exceeded permissible bounds is the “fruit of the poisonous tree” and must be excluded. Wong Sun v. United States, (1973) 371 U.S. 471. Thus confessions, admissions and physical evidence are barred, Lockridge v. Superior Court, 3 Cal.3d 166 (1970); as well as testimony as to the identity of stolen goods, People v. Dowdy, 50 Cal.App.3d 180 (1975); and tape recordings, People v. Coyle, 2 Cal.App.3d 60 (1969). See also Ruiz v. Craven, 425 F2d 235 (9th Cir 1970) (confession after confrontation with illegally seized heroin).

“fruit of the poisonous tree”

Also, tangible evidence obtained as a fruit of a Miranda violation is inadmissible and may be suppressed under Penal Code section 1538.5. People v. Abbott, 3 Cal.App.3d 966 (1970); U.S. v. Casell, 452 F2d 533 (7th Cir 1971); People v. Superior Court (Keithley), 13 Cal.3d 406 (1975). An admission or confession or other intangible fruit which is the result of an illegal arrest can be challenged under Penal Code section 1538.5. Wong Sun, supra; People v. DeVaughn, 18 Cal.3d 889 (1977).

jay leiderman defense attorney defending clients accused of committing crimes medical marijuana jury instructions fruit of an illegal search

Jay Leiderman on his way into Federal Court to present a vigorous and hard-hitting defense; his duty under the constitution and his privilege as a lawyer.

Once it is shown that a statement was the fruit of a violation of the constitutional proscriptions against unreasonable searches and seizures, it is the People’s burden to purge the evidence of its taint. A mere giving of the Miranda admonition is not enough. Brown v. Illinois, 422 U.S. 590 (1975). Here, there is a substantial amount of taint upon the seized items. The taint was not purged from the evidence, and thus, it should all be suppressed.

 

 

twitter Facebooktwittergoogle_pluslinkedinmail

 

 ^