Pipe bomb suspect was spinning records as FBI closed in
By ERIC TUCKER, MICHAEL BALSAMO and COLLEEN LONG
Sunday, October 28
WASHINGTON (AP) — In the hours before his arrest, as federal authorities zeroed in and secretly accumulated evidence, Cesar Sayoc was in his element: spinning classic and Top 40 hits in a nightclub where he’d found work as a DJ.
As he entertained patrons from a dimly lit booth overlooking a stage at the Ultra Gentlemen’s Club, where Halloween decorations hung in anticipation of a costume party, he could not have known that investigators that very evening were capitalizing on his own mistakes to build a case against him.
He almost certainly had no idea that lab technicians had linked DNA on two pipe bomb packages he was accused of sending to prominent Democrats to a sample previously collected by Florida state authorities. Or that a fingerprint match had turned up on a separate mailing the authorities say he sent.
And he was probably unaware that investigators scouring his social media accounts had found the same spelling mistakes on his online posts — “Hilary” Clinton, Debbie Wasserman “Shultz” — as on the mailings he’d soon be charged with sending.
In the end, prosecutors who charged Sayoc with five federal crimes Friday say the fervent supporter of President Donald Trump unwittingly left behind a wealth of clues, affording them a critical break in a coast-to-coast investigation into pipe bomb mailings that spread fear of election-season violence. The bubble-wrapped manila envelopes, addressed to Democrats such as Barack Obama and Hillary Clinton and intercepted from Delaware to California, held vital forensic evidence that investigators say they leveraged to arrest Sayoc four days after the investigation started.
“Criminals make mistakes so the more opportunities that law enforcement has to detect them, the greater chance they’re going to be able to act on that, and that appears to be what happened here,” said former Justice Department prosecutor Aloke Chakravarty, who prosecuted the Boston Marathon bombing case.
But it wasn’t always clear that such a break would come, at least not on Monday when the first package arrived: a pipe bomb delivered via mail to an estate in Bedford, New York, belonging to billionaire liberal activist George Soros. That same day, Sayoc, still under the radar of law enforcement, retweeted a post saying, “The world is waking up to the horrors of George Soros.”
Additional packages followed, delivered the next day for Clinton and Obama and after that to the cable network CNN, former Attorney General Eric Holder, former Vice President Joe Biden and other Democratic targets of conservative ire.
Each additional delivery created more unease. But together they also provided more leads for the FBI, which mined each pipe bomb for clues at a laboratory in Quantico, Virginia.
As the packages rolled in, technicians hit a breakthrough: a fingerprint and DNA left on a package sent to Rep. Maxine Waters, a California Democrat and one of the intended pipe bomb recipients, and DNA on a piece of pipe bomb intended for Obama. The FBI said it had identified no other possible matches on the evidence it had examined.
Besides that, the FBI said, his social media posts that traffic in online conspiracy theories, parody accounts and name-calling include some of the same misspellings as were noticed on the 13 packages he was charged with sending.
The clues, authorities say, led them to a 56-year-old man with a long criminal history who’d previously filed for bankruptcy and appeared to be living in his van, showering on the beach or at a local fitness center.
As the FBI worked around the clock, and as Americans were busy debating the hard-edged political climate and whether Trump had fanned the flames with his rhetoric, it was business as usual for Sayoc as he took to Twitter to denigrate targets like Soros. That was not uncommon for the amateur body builder and former stripper whose social media accounts are peppered with memes supporting Trump and posts vilifying Democrats.
On Thursday from noon to 9 p.m. as law enforcement grew ever closer, descending on a postal sorting facility in Opa-locka, Florida, Sayoc was working as a disc jockey at a West Palm Beach nightclub where he’d found work in the last two months. There, he spun his music from inside a small dimly lit booth overlooking a stage with performers dancing below. Autographed photos of scantily clad and nude adult entertainers were plastered across the walls like wallpaper.
“I didn’t know this guy was mad crazy like this,” said Stacy Saccal, the club’s manager. “Never once did he speak politics. This is a bar. We don’t talk politics or religion in a bar, you know?”
But Scott Meigs, another DJ at the club, had a different experience.
He said Sayoc had been talking about politics to everybody at the club for the last two weeks, preaching the need to elect Republicans during the November elections. “I just figured he was passionate about the upcoming elections.”
The next morning, he was taken into custody near an auto parts store in Plantation, Florida, north of Miami. Across the street, Thomas Fiori, a former federal law enforcement officer, said he saw about 50 armed officers swarm a man standing outside a white van with windows plastered with stickers supporting Trump and criticizing media outlets including CNN.
They ordered him to the ground, Fiori said, and he did not resist.
“He had that look of, ‘I’m done, I surrender,’” Fiori said.
Associated Press writers Laurie Kellman, Ken Thomas, Jill Colvin, Michael Biesecker, Stephen Braun and Chad Day in Washington; Ellis Rua, Terry Spencer, Kelli Kennedy and Curt Anderson in Florida; Jim Mustian, Deepti Hajela, Tom Hays and Michael R. Sisak in New York; and Raphael Satter in Paris contributed to this report.
For the AP’s complete coverage of the mail-bomb scare: https://apnews.com/PipeBombAttacks
Bombs are part of American political history
October 30, 2018
Author: Keith Brown, Professor of Politics and Global Studies, Arizona State University
Disclosure statement: Keith Brown does not work for, consult, own shares in or receive funding from any company or organization that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.
Partners: Arizona State University provides funding as a member of The Conversation US.
The bombs allegedly sent by a passionate Trump supporter to prominent liberals last week are a reminder that American history is littered with violence, with both the left and right pursuing political ends with explosives.
I’m a scholar who has researched conflict and its aftermath. From labor and anarchist unrest in the late 1800s to right-wing terror this past week, bombs have served political agitators as a shocking and deadly – but ultimately ineffective – way to fight their enemies.
Labor and bombs
Alfred Nobel’s 1867 invention of dynamite provided a weapon to the United States at the same time millions of industrial workers were laying the foundations of U.S. prosperity in the country’s mines, steelworks and slaughterhouses and on the oilfields, railroads and piers.
The extraordinary wealth that their labor produced went to enrich the factory and business owners and the financiers, whose names still resonate today – John D. Rockefeller, Andrew Carnegie and J.P. Morgan.
The disparity in rewards was clear to labor leaders, and as early as the 1880s they campaigned to improve working conditions and rates of pay for all. In the mix were radicals who believed in the “propaganda of the deed” – and that only through a major shock to the status quo could the system of exploitation be changed.
For these radicals — including Albert Parsons, editor of the anarchist publication The Alarm – dynamite was “a genuine boon for the disinherited.” When combined with mass-produced gas or water pipes, dynamite gave desperate men an easily concealed and transported means to disrupt the system they so resented.
They did so in Chicago in May 1886. During protests against police shootings, and in support of the eight-hour workday, someone threw a gas pipe bomb at police, “the first dynamite bomb ever used in peacetime history of the United States.”
The incident became known as “the Haymarket Affair” or “the Haymarket Riot.” Seven policemen and four demonstrators were killed.
Following the incident, newspapers carried detailed stories about the assembly and distribution of gas pipe bombs, especially the work of bombmaker Louis Lingg.
Lingg and Parsons were both tried and sentenced to death, even though neither threw the bomb that day. Six other men were also prosecuted following the Haymarket bombing. Lingg later committed suicide.
The gas pipe bomb in the 1880s was a weapon deployed by revolutionaries against powerful institutions of capital. Activists were willing to die for their beliefs, and used bombs in response to what they saw as everyday or “structural” violence, whereby states, governments and powerful companies pursued their own interests by exploiting ordinary people, and harnessed the instruments of “law and order” to shut down peaceful channels of dissent and change.
Bombs were again used in the famous Wall Street explosions on Sept. 16, 1920. At the financial heart of the country, near the banking giant J.P. Morgan and Co. building, 100 pounds of dynamite hidden in a horse-drawn cart detonated, sending shrapnel into the bodies of passersby and killing 38 people. Hundreds more were injured. It was the biggest terrorist incident in the United States until the Oklahoma City bombing in 1995, and was never solved.
Pipe bombs were again wielded for political purposes in the United States in the polarized 1960s and 1970s. The Weather Underground saw themselves as heirs to the 1880s anarchist revolutionaries and believed violence was necessary to achieve social and political change.
Known as the “Weathermen,” they claimed credit for bombing the New York City police headquarters in 1970, the same year a bomb their members were assembling accidentally went off and killed three of them. In July of that year, they claimed credit for bombing a New York bank after 13 Weathermen were indicted for conspiracy to commit terrorism. By 1975, the group had claimed responsibility for more than 25 bombings.
Not just the left
This period also saw extremists using bombs not against power elites and their policies, but to intimidate or eliminate voices of progressive change.
Dynamite was the weapon of choice by the four Ku Klux Klansmen who bombed the 16th Street Baptist Church in Birmingham, Alabama, on Sept. 15, 1963, killing four African-American schoolgirls. Although no prosecutions were made until 1977, 2001 and 2002, this hate crime was a catalyst in driving public support for the passage of the Civil Rights Act in 1964.
Less well-known are earlier pipe bomb attacks in California – two against liberal ministers who had criticized “radical right” groups in February 1962, and a third targeting the American Association for the United Nations in March 1963.
The February 1962 pipe bombs exploded as the Reverend Brooks Walker and the Reverend John Simmons were participating in a discussion panel hosted by a synagogue in Beverly Hills, with the title “Extreme Right – Threat to Democracy?”
The March 1963 pipe bomb exploded on the same night that the Rev. Brooks Walker was sworn in as President of the Association for the United Nations. The incident prompted Republican Sen. Thomas Kuchel to denounce the work of those he termed the “fright-peddlers” who encouraged such behavior.
No one was killed. But these bomb attacks, like the pipe bombs sent in early October 2018 to Democratic leaders, targeted individuals and their families who were vocal opponents of what they saw as the inflammatory, polarizing words and actions of extremists on the right.
Since the invention of dynamite, bombs have been a tool of choice for devotees of the entire range of fringe American political thought. Anarchists, radical left-wingers and racial supremacists, as politically different from each other as night and day, have been united in one thing: their use of a particular form of violence to achieve political ends.
They are united, too, in one other way: These methods haven’t worked.
My thoughts are my password, because my brain reactions are unique
October 25, 2018
Assistant Professor of Computer Science and Engineering, University at Buffalo, The State University of New York
Assistant Professor of Computer Science and Engineering, University of Colorado Denver
Associate Professor of Computer Science and Engineering, University at Buffalo, The State University of New York
Disclosure statement: Wenyao Xu receives funding from the National Science Foundation. Zhanpeng Jin receives funding from the National Science Foundation. Feng Lin does not work for, consult, own shares in or receive funding from any company or organization that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.
Partners: University at Buffalo, The State University of New York provides funding as a member of The Conversation US.
Your brain is an inexhaustible source of secure passwords – but you might not have to remember anything. Passwords and PINs with letters and numbers are relatively easily hacked, hard to remember and generally insecure. Biometrics are starting to take their place, with fingerprints, facial recognition and retina scanning becoming common even in routine logins for computers, smartphones and other common devices.
They’re more secure because they’re harder to fake, but biometrics have a crucial vulnerability: A person only has one face, two retinas and 10 fingerprints. They represent passwords that can’t be reset if they’re compromised.
Like usernames and passwords, biometric credentials are vulnerable to data breaches. In 2015, for instance, the database containing the fingerprints of 5.6 million U.S. federal employees was breached. Those people shouldn’t use their fingerprints to secure any devices, whether for personal use or at work. The next breach might steal photographs or retina scan data, rendering those biometrics useless for security.
Our team has been working with collaborators at other institutions for years, and has invented a new type of biometric that is both uniquely tied to a single human being and can be reset if needed.
Inside the mind
When a person looks at a photograph or hears a piece of music, her brain responds in ways that researchers or medical professionals can measure with electrical sensors placed on her scalp. We have discovered that every person’s brain responds differently to an external stimulus, so even if two people look at the same photograph, readings of their brain activity will be different.
This process is automatic and unconscious, so a person can’t control what brain response happens. And every time a person sees a photo of a particular celebrity, their brain reacts the same way – though differently from everyone else’s.
We realized that this presents an opportunity for a unique combination that can serve as what we call a “brain password.” It’s not just a physical attribute of their body, like a fingerprint or the pattern of blood vessels in their retina. Instead, it’s a mix of the person’s unique biological brain structure and their involuntary memory that determines how it responds to a particular stimulus.
Making a brain password
A person’s brain password is a digital reading of their brain activity while looking at a series of images. Just as passwords are more secure if they include different kinds of characters – letters, numbers and punctuation – a brain password is more secure if it includes brain wave readings of a person looking at a collection of different kinds of pictures.
To set the password, the person would be authenticated some other way – such as coming to work with a passport or other identifying paperwork, or having their fingerprints or face checked against existing records. Then the person would put on a soft comfortable hat or padded helmet with electrical sensors inside. A monitor would display, for example, a picture of a pig, Denzel Washington’s face and the text “Call me Ishmael,” the opening sentence of Herman Meville’s classic “Moby-Dick.”
The sensors would record the person’s brain waves. Just as when registering a fingerprint for an iPhone’s Touch ID, multiple readings would be needed to collect a complete initial record. Our research has confirmed that a combination of pictures like this would evoke brain wave readings that are unique to a particular person, and consistent from one login attempt to another.
Later, to login or gain access to a building or secure room, the person would put on the hat and watch the sequence of images. A computer system would compare their brain waves at that moment to what had been stored initially – and either grant access or deny it, depending on the results. It would take about five seconds, not much longer than entering a password or typing a PIN into a number keypad.
After a hack
Brain passwords’ real advantage comes into play after the almost inevitable hack of a login database. If a hacker breaks into the system storing the biometric templates or uses electronics to counterfeit a person’s brain signals, that information is no longer useful for security. A person can’t change their face or their fingerprints – but they can change their brain password.
It’s easy enough to authenticate a person’s identity another way, and have them set a new password by looking at three new images – maybe this time with a photo of a dog, a drawing of George Washington and a Gandhi quote. Because they’re different images from the initial password, the brainwave patterns would be different too. Our research has found that the new brain password would be very hard for attackers to figure out, even if they tried to use the old brainwave readings as an aid.
Brain passwords are endlessly resettable, because there are so many possible photos and a vast array of combinations that can be made from those images. There’s no way to run out of these biometric-enhanced security measures.
Secure – and safe
As researchers, we are aware that it could be worrying or even creepy for an employer or internet service to use authentication that reads people’s brain activity. Part of our research involved figuring out how to take only the minimum amount of readings to ensure reliable results – and proper security – without needing so many measurements that a person might feel violated or concerned that a computer was trying to read their mind.
We initially tried using 32 sensors all over a person’s head, and found the results were reliable. Then we progressively reduced the number of sensors to see how many were really needed – and found that we could get clear and secure results with just three properly located sensors.
This means our sensor device is so small that it can fit invisibly inside a hat or a virtual-reality headset. That opens the door for many potential uses. A person wearing smart headwear, for example, could easily unlock doors or computers with brain passwords. Our method could also make cars harder to steal – before starting up, the driver would have to put on a hat and look at a few images displayed on a dashboard screen.
Other avenues are opening as new technologies emerge. The Chinese e-commerce giant Alibaba recently unveiled a system for using virtual reality to shop for items – including making purchases online right in the VR environment. If the payment information is stored in the VR headset, anyone who uses it, or steals it, will be able to buy anything that’s available. A headset that reads its user’s brainwaves would make purchases, logins or physical access to sensitive areas much more secure.
As digital threats grow, will cyber insurance take off?
October 26, 2018
Professor of Management, University of North Carolina – Greensboro
Disclosure statement: Nir Kshetri does not work for, consult, own shares in or receive funding from any company or organization that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.
Cyberattacks cost the world more than natural disasters – US $3 trillion in 2015, a price that may climb to $6 trillion annually by 2021 if present trends continue. But most people – and even most businesses – don’t have insurance to protect themselves against this rising threat.
Insurance against all kinds of risks – disease, disaster, legal liability and more – is extremely common. In the U.S., companies, families and even government agencies paid a combined $2.7 trillion in insurance premiums in 2016 – and received payouts totaling $1.5 trillion. But just $2.5 billion – 0.09 percent of the total spending – went to buy insurance against cyberattacks and hacking. Elsewhere in the world, there’s even less coverage. For instance, in 2017 the cyber insurance market in India was $27.9 million, 0.04 percent of the total insurance premiums paid in the country that year.
From my research on cybercrime and cybersecurity over the past two decades, it is clear to me that cyberattacks have become increasingly sophisticated. The cyber insurance market’s extremely small size suggests that organizations and individuals might have underrated its importance. However, more and more internet users are finding reason to protect themselves. In 10 years’ time, insurance coverage for cyberattacks could be standard for every homeowner.
Who is buying cyber insurance?
Certain types of companies tend to have – or not have – cyber insurance. The larger the firm and the more closely it depends on computerized data, the more likely it is to have coverage against digital threats.
For a company, that can make sense, because a digital intrusion can cost hundreds of thousands or even millions of dollars to fix and recover from. For individuals, the costs of a breach are lower, but still significant – even as high as $5,000.
Regular people are far less likely to have digital protection than companies are. In India, personal cyber insurance is less than 1 percent of the total cyber insurance market. In the U.S. and elsewhere, most products are targeted at rich people. Insurers such as AIG, Chubb, Hartford Steam Boiler and NAS Insurance sell personal cyber insurance policies as add-ons to homeowners’ and renters’ insurance.
The insurance industry is doing more, too. A wide range of insurers such as Munich Re, AIG’s CyberEdge, Saga Home Insurance, Burns & Wilcox and Chubb all offer cyber insurance for individuals. These plans cover as much as $250,0000 to repair or replace damaged devices and to pay for expert advice and assistance if a cyberattack affects a policyholder. They may also include data recovery, credit monitoring services and efforts to undo identity theft.
Even health services may be included: AIG’s new product Family CyberEdge policy includes a coverage of one year of psychiatric services if a family member is victimized by cyberbullying. Also covered is lost salary if the victim loses a job within 60 days of discovering cyberbullying. Some insurers offer policies that provide help to assess policyholders’ data security practices and scan for cyberthreats.
Another cybercrime that’s becoming increasingly common is called ransomware – in which malicious software takes over a person’s computer and encrypts his or her data. Then the program demands the victim pay a ransom – often in bitcoin or other cryptocurrencies – to get the data decrypted.
Some ransomware attackers don’t actually decrypt the data, even if they get paid – but that hasn’t stopped victims from paying big bucks – at least $1 billion in 2016 alone. Even so, there are insurers who sell coverage against ransomware, providing backup and decryption services – or even paying the ransom.
As smart home systems become more popular – as well as various technologies to monitor and help coordinate local government services – they’ll provide more potential entry points for hackers. An average home insured by AIG has 20 Wi-Fi-enabled devices. Replacing a hijacked home’s entire smart lighting system, smart entertainment center, thermostat and digital security devices will be expensive – and the bill will only be higher for communities using internet-connected streetlights, water meters, electric cars and traffic controls. Those are opportunities for insurance companies to step in.
Some current challenges
Before cyber insurance becomes more common, however, the insurance industry will likely have to come to some consensus about what will and won’t be covered. At the moment each plan differs substantially – so customers must conduct a detailed assessment of their own risks to figure out what to buy. Few people know enough to be truly informed customers. Even insurance brokers don’t know enough about cyber risks to usefully help their clients.
In addition, because cybercrime is relatively new, insurers do not have much data on how much various types of cybersecurity problems can cost to fix or recover from. They therefore tend to be conservative and overcharge.
As people become better-informed about the digital dangers in their lives, and as insurance companies are able to more clearly explain – and more accurately price – their coverage options, the cyber insurance market will grow and may expand rapidly. In the meantime, most policies have some degree of custom design, so consumers should be careful to look for policies that actually cover their needs, and not just evaluate plans based on cost.
Illuminating the ‘dark web’
October 30, 2018
Author: Robert Gehl, Associate Professor of Communication, University of Utah
Disclosure statement: MIT Press provides funding as a member of The Conversation US.
In the wake of recent violent events in the U.S., many people are expressing concern about the tone and content of online communications, including talk of the “dark web.” Despite the sinister-sounding phrase, there is not just one “dark web.” The term is actually fairly technical in origin, and is often used to describe some of the lesser-known corners of the internet. As I discuss in my new book, “Weaving the Dark Web: Legitimacy on Freenet, Tor, and I2P,” the online services that make up what has become called the “dark web” have been evolving since the early days of the commercial internet – but because of their technological differences, are not well understood by the public, policymakers or the media.
As a result, people often think of the dark web as a place where people sell drugs or exchange stolen information – or as some rare section of the internet Google can’t crawl. It’s both, and neither, and much more.
Seeking anonymity and privacy
Websites on the dark web don’t end in “.com” or “.org” or other more common web address endings; they more often include long strings of letters and numbers, ending in “.onion” or “.i2p.” Those are signals that tell software like Freenet, I2P or Tor how to find dark websites while keeping users’ and hosts’ identities private.
Those programs got their start a couple of decades ago. In 1999, Irish computer scientist Ian Clarke started Freenet as a peer-to-peer system for computers to distribute various types of data in a decentralized manner rather than through the more centralized structure of the mainstream internet. The structure of Freenet separates the identity of the creator of a file from its content, which made it attractive for people who wanted to host anonymous websites.
Not long after Freenet began, the Tor Project and the Invisible Internet Project developed their own distinct methods for anonymously hosting websites.
Today, the more commonly used internet has billions of websites – but the dark web is tiny, with tens of thousands of sites at the most, at least according to the various indexes and search engines that crawl these three networks.
A more private web
The most commonly used of the three anonymous systems is Tor – which is so prominent that mainstream websites like Facebook, The New York Times and The Washington Post operate versions of their websites accessible on Tor’s network. Obviously, those sites don’t seek to keep their identities secret, but they have piggybacked on Tor’s anonymizing web technology in order to allow users to connect privately and securely without governments knowing.
In addition, Tor’s system is set up to allow users to anonymously browse not only dark websites, but also regular websites. Using Tor to access the regular internet privately is much more common than using it to browse the dark web.
Moral aspects of ‘dark’ browsing
Given the often sensationalized media coverage of the dark web, it’s understandable that people think the term “dark” is a moral judgment. Hitmen for hire, terrorist propaganda, child trafficking and exploitation, guns, drugs and stolen information markets do sound pretty dark.
Yet people commit crimes throughout the internet with some regularity – including trying to hire killers on Craigslist and using Venmo to pay for drug purchases. One of the activities often associated with the dark web, terrorist propaganda, is far more prevalent on the regular web.
Defining the dark web only by the bad things that happen there ignores the innovative search engines and privacy-conscious social networking – as well as important blogging by political dissidents.
Even complaining that dark web information isn’t indexed by search engines misses the crucial reality that search engines never see huge swaths of the regular internet either – such as email traffic, online gaming activity, streaming video services, documents shared within corporations or on data-sharing services like Dropbox, academic and news articles behind paywalls, interactive databases and even posts on social media sites. Ultimately, though, the dark web is indeed searchable as I explain in a chapter of my book.
Thus, as I suggest, a more accurate connotation of “dark” in “dark web” is found in the phrase “going dark” – moving communications out of clear and public channels and into encrypted or more private ones.
Focusing all this fear and moral judgment on the dark web risks both needlessly scaring people about online safety and erroneously reassuring them about online safety.
For instance, the financial services company Experian sells services that purport to “monitor the dark web” to alert customers when their personal data has been compromised by hackers and offered for sale online. Yet to sign up for that service, customers have to give the company all sorts of personal information – including their Social Security number and email address – the very data they’re seeking to protect. And they have to hope that Experian doesn’t get hacked, as its competitor Equifax was, compromising the personal data of nearly every adult in the U.S.
It’s inaccurate to assume that online crime is based on the dark web – or that the only activity on the dark web is dangerous and illegal. It’s also inaccurate to see the dark web as content beyond the reach of search engines. Acting on these incorrect assumptions would encourage governments and corporations to want to monitor and police online activity – and risk giving public support to privacy-invading efforts.