Posts by tom dial 2187 publicly visible posts • joined 16 Jan 2011
Career State Department security and IT staff who raised questions about Ms. Clinton's server were instructed "never to speak of the Secretary’s personal email system again." The State Department Inspector General's report on the matter is interesting, maybe especially for those inclined to make light of it.
Jeb Bush, Scott Walker, Chris Christie, and Bobby Jindal were state governers and not subject to federal laws that govern storage and processing of federal government data. They may or may not have been compliant with applicable state laws; I do not recall seeing complaints about that. Marco Rubio's alleged problem occurred when he was a state legislator, so also not subject to the federal laws that Hillary Clinton violated during her tenure as Secretary of State.
Condolezza Rice and Colin Powell (as well as Marco Rubio and most of the named governers) used commercial services that almost certainly were better maintained and more secure than Secretary Clinton's personal server setup (see, for example,
http://www.theregister.co.uk/2015/10/14/hillarys_sysadmin_next_to_the_pillory/).
Both Rice and Powell also used email far less than Clinton, whose 30,000+ emails establish a rate of over 20 a day, including weekends and holidays.
It is only necessary to read the juicy parts of the State Department IG report to see that there was intent to bypass reasonable security procedures, and that is true even if the primary or secondary motive was to keep control of records that might be demanded under the FOIA or become permanent records of Secretary Clinton's tenure at the State Department.
@kain preacher and others wishing to equate the actions of Clinton, Rice, and Powell: The fact that Hillary Clinton is running for President (and neither Colin Powell nor Condolezza Rice is) should have nothing to do with whether to charge any of them, or not. Secretary Clinton's transgressions, at well over 20 email messages per working day, are far more significant than those of Powell, who admitted to a few hundred during his tenure, or Rice, who stated that she did not use email significantly. In addition, Secretary Clinton contrived to use a personally owned and operated, and quite insecure, setup for her official email correspondence, and Secretaries Powell and Rice reportedly used commercial services which probably had more competent and regular maintenance and hopefully better configuration than hers. There could well be justification for prosecuting Clinton but not either of the others, even ignoring the fact that federal information assurance standards and procedures became considerably more stringent between 2001 and 2009.
I see two fundamental differences between Sanders and Trump. First, Sanders is undeniably qualified by experience and temperament for the office; better qualified, I would argue, than Hillary Clinton. Trump cannot say the same; creating and running successful businesses is not like being the US president, if only because the Senate, House of Representatives, and federal judiciary are full of men and women with independent power status that is not so evident in even publicly held companies and can be effectively nonexistent in privately held ones. Second, Sanders is a man of personal and intellectual integrity, worthy of trust, by all reports I have seen; while I would not say that Trump is not, it seems to me far less obvious in his case than in Sanders'.
Using a personal email account for official communications was not, and as far as I know is not unlawful as such (I retired at the end of 2011 and there could be changes of which I am not aware). There are occasions when it is necessary to send or receive email but impossible or impractical to access a government network to do so. There was, and I presume is, guidance about when this is allowable and what additional steps, like copying a superior on such emails as I always did. The norm and requirement, however, was and is to use government facilities whenever possible.
Clinton's use of personally owned and notably insecure facilities, administered "at her cost" by a former campaign aide hired to the State Department as a Schedule III political appointee, is far worse than Powell, Rice, and perhaps Albright using commercial email services that probably were maintained and secured to a halfway reasonable standard, particularly as neither of them reported using email very extensively compared to Secretary Clinton's average of well over 20 per day.
I never expected an indictment in the matter, maybe partly because I don't know enough law to decide whether FISMA violations are prosecutable or lead merely to employee disciplinary action. However, "not indicted" is a very poor measure of fitness for an office of trust.
I do not agree that Barack Obama is the worst of all presidents. That's a strong claim that requires strong evidence. He is, however, one of the most autocratic, driven partly by unwillingness of Republican legislators to work with him politically, but mainly by his diffidence and unwillingness to work politically with Republican legislators. He undeniably is a smart and thoughtful man, but any reports of his political competence are in error. In that respect, he is a dwarf beside Bill Clinton and Ronald Reagan and numerous earlier presidents.
Worth another upvote though. Hillary Clinton showed, by her disrespect for both her superior, the President, her subordinates at the Department of State, the laws she aspires to take Care be faithfully executed (US Constitution, Article II, Section III), and the people, that while she may be well-qualified for the office, she is unfit to hold it.
Open source software not only has nothing to do with whether raw data was/was not retained, but also cannot be assumed to be more correct or free from error than closed source. I also use, and recommend it, but do not delude myself that it is free from error, and I have plenty of examples to show it is not.
The comparisons seem to be between the maximum consecutive sentence that might apply in this case and some reported actual sentence for a crime like rape or murder. That is neither appropriate nor meaningful. It would be as sensible to argue that the rape or murder sentences given should have been an order of magnitude or more longer, as in many cases they could have been given that laws typically specify a range of sentences, giving the judge some discretion in actual cases, including whether sentences handed down for multiple violations are to be served consecutively or concurrently.
At the moment, the pendulum seems to be oscillating rapidly between increasing judicial sentencing discretion for nonviolent drug violations and reducing it for sexual assault, where the present low seems to be six months.
I am not a lawyer, but it seems to me the case is a bit weak. The challenged provision, 1030(a)(2)(C), may be unconstitutionally vague, but there does not seem to be a genuine controversy in the facts the ACLU states against which to test it. The applicable ACLU citations that I found seem off point for the circumstances ACLU cite, and do not show uniform success. One misdemeanor conviction was overturned on appeal; one case ended with a guilty plea to conspiracy to commit fraud involving about $25 million and a misdemeanor CFAA violation; one civil case brought under 1030a(4) - intent to defraud, not 1030a(2)(C) the plaintiffs challenge - apparently succeeded, while another civil case was dismissed. It is not clear that the plaintiffs' research proposals would expose them to significant risk of either criminal civil action.
The CFAA certainly deserves significant revision, but the plaintiffs seem to want the court to do that rather than the Congress, which is the appropriate branch of government.
The indictment charges that Love gained unauthorized access to one or more Federal Reserve Bank servers, copied information from them, and published it. It also charges that Love used that information in a way that constitutes identity theft. An indictments describes what is charged, not the evidence to be used to prove the charge in court. It is entirely reasonable to think the US Attorney has evidence gained from Federal Reserve Bank systems in addition to information to be provided by testimony of informants, whether confidential or not. And whatever the evidence might be, if the case goes to trial it must be adequate to convince all jurors.
Plea bargains are useful in resolving cases where the evidence is good enough that the risk of a conviction is substantial, and prosecutors certainly have overcharged to get accused to bargain down to conviction for a lower offense, but where the evidence is weak and the offense is not one likely to sway a jury, a jury trial is a good option. And where it would be difficult to get a relatively neutral jury (as, for instance, in the recent Baltimore police prosecutions) an accused has the option of a bench trial.
According to the indictment (see https://pdf.yt/d/kjcd0UksAPXuSP-Q/ ) Lauri Love is charged with violating the CFAA (18 USC 1030) and with identity theft (18 USC 1028). The indictment states that he discussed this somewhat extensively in chat rooms, but that has nothing to do with the actual charges.
The CFAA charge alleges that Love accessed one or more Federal Reserve Bank servers (using "sequel" injection) and copied out and publicly posted personal identifying information of FRB system users. The identity theft charge doesn't include informative detail, but refers back to the hacking charge, suggesting that the US Attorney thinks he can prove that Love, and possibly others, used the personal information taken for personal gain.
While the CFAA is overbearing and has been abused, this charge seems fairly clearly within the scope of what its authors probably intended and what most people probably would think appropriate. The prosecutor still would have to prove the charges to a jury, and the utility of the chat room information would be useful only as supporting information for testimony, and excludeable if obtained without warrant.
Years ago I promised never to mess with or change more than minimally my wife's laptop (Windows 7 Home Premium, with all the HP cruft). I have been extremely careful to decline automatic updates and to refuse W10 on every patch Tuesday. If she allows it based on examination of the upgraded preview version, I will make a block copy of the disk and go forward with the install early in July. If it fails I may call MS, but probably will just load the image back onto the disk and continue with Windows 7 until the system, now 5 or 6 years old, is replaced. After July 29, I hope the upgrade nag will go away; if it does not, I may look into the Utah small claims courts.
The suggestion that the plaintiff's system was unknowingly enrolled in the beta program almost certainly is incorrect, but the drift of the article suggest she is unlikely to have the technical knowledge to come up with such a suggestion on her own. The reported problem also seems an unlikely result of such an event, as the failure probably would have occurred much earlier. A more likely explanation, in my opinion, is that a MS tech support agent suggested it, perhaps to divert attention from the fundamental Microsoft error of instituting default and largely non-consensual installation (or installation with poorly informed or implicit consent, which is nearly as bad).
I'm an American, but grew up hearing of British determination from my parents, who sailed to Britain in September 1940 to join the American Hospital in Britain, near Basingstoke. I doubt the terrifying predictions of Britain's demise, as they doubted it would fall to the German military onslaught; I wish you well.
The second amendment has roots in the English Bill of Rights (1689) among other things. Analogues also were present in the state constitutions of New York, New Hampshire, Massachusetts, and Pennsylvania, where controlling restless slaves would not have been a major issue, and also in the Articles of Confederation and in the Northwest Ordinance that governed settling the area that now includes Ohio, Indiana, Michigan, Illinois, Wisconsin, and part of Minnesota and prohibited slavery throughout the territory. Georgia, which permitted slavery at the time, had no constitutional provision that allowed keeping and bearing arms, although as in all of the states, customary and common law (adopted almost entire from England) certainly would have allowed it.
Roughly 3 US households in 10 have one or more guns. That's a large enough number to qualify as reasonably normal, or at least not seriously abnormal. The average number of guns per owning household is somewhat nearer 3 than 2, which is not overwhelmingly large. Still, that is a lot of guns compared to all other countries, and based on death and injury statistics, in need of a bit of regulation.
There is a significant contradiction between the implicit notion that the government should not be able to bypass tight procedures, involving some type of judicial review, in order to conduct a search, yet should be able, based only on hearsay and with no judicial review whatever, to abridge the explicit constitutional right to own firearms.
According to the FBI's public information, you cannot find out if you are listed in the Terrorist Screening Database, and although there is a link for "Redress Procedures," it refers to a page of bureaucratese jargon that inspires little confidence in the existence of real redress. Use of such material to deny any right is seriously problematic, and its use without review independent of those who assemble and maintain it fails miserably, in the same way as national security letters, to meet a reasonable standard of due process, as the fifth amendment requires. The history of the DHS No Fly List suggests that although it doubtless is considerably smaller (at a bit over 100,000) it is no better.
I suggest that there is another possibility: If the US were to make such a requirement stick (I think the last version of Burr-Feinstein that I saw is pretty unlikely to pass), it is likely enough that it would be followed by similar legislation in quite a few other countries, with China and Russia in the mix but not necessarily the first.
Saddam Hussain was 65 or so when the US invaded Iraq and nearly 70 when found and executed. He was unlikely to live too much longer even if undisturbed by the US invasion, and it is likely that there would have been a succession struggle after his death, during which it is likely that Iraq would have been dismembered or fallen into civil war. The outcome would have been different, but it is not obvious it would have been better. Something like the disintegration of Yugoslavia after Tito's death seems in the ball park.
That is not to say that the US invasion was the right thing to do; it was not. However, the Iraq's inherent instability, which goes back to the end of the First World War probably would have led to internal war, however much the invasion hastened it, and it might well have been worse.
Lobbyists may affect laws going forward, but have little or nothing to do with the operation of a court.
In the US, because of the first amendment to the Constitution, the limits on speech, understood in its most general sense, are very narrowly circumscribed. Some, and I include myself, think of this as a feature, not a defect. Most of the spew of the crazies is not and cannot effectively be made unlawful despite the fact it is hurtful or in terrible taste and its authors are worthy of condemnation and extensive public shaming, which the Internet provides for as easily and extensively, or more, as it does for the nastiness.
Google, Twitter, Facebook, and others, as private entities, are not bound by the First Amendment and can do as they think appropriate within very wide limits (within the US) when it comes to anything remotely like political (or commercial) "speech."
Although we did not, in the somewhat distant past "random individuals with mental illness reading the output of those organisations on the Net and, as a result, going out and killing people" we did have "random individuals with mental illness" (for some reasonable understanding of mental illness) "going out and killing people." One need go no further than Wikipedia to see that rather clearly.
In the US the system is full of holes and vulnerabilities. The reason fraud rarely is caught is that it is not often an issue (because most elections are not very close) and therefore is not much looked for. In addition, checking for the types of voting fraud mentioned is quite difficult. As another poster mentioned, there is no easy way to connect deaths and voter registration lists. Although some states, maybe most, share voter lists in an attempt to identify multiple jurisdiction registrations, that undertaking is afflicted with the difficult problem of name comparison that banks and S&Ls worked through several decades ago. For example, there may or may not be duplicates among A D Smith, Albert D Smith, Albert Donald Smith, A Donald Smith, A David Smith, Arthur David Smith (and quite a few other possible variations), and it would be a substantial effort as well to read death notices and be certain of removing registrations of those, and only those, who are deceased. Photo IDs, which are available at no direct cost in all or nearly all states that require them, partly address the issue.
Actually, it would not do that. The political machines of old depended heavily on making sure the government ran decently, Chicago being the last major example. As late as the early 1960s under the Daley machine it was arguably the best run large city in the US. At that time, and earlier, the streets were maintained, the garbage collected, and if you had a problem that the city government you could call the Alderman's office and stand a reasonable chance of getting the problem solved. At that time, too, it was customary for the machine's precinct workers to hand out $2 per voter with the instruction to go vote - the recipient knew which candidate to vote for.
There was graft, to be sure, in things like minimum-show jobs, various forms of self enrichment among the higher ranked members of the political class, and contracts where the low bidder had information that the others did not. As long as it didn't get out of hand and the essential city government functions were maintained it was tolerable.
Multiple voting across jurisdictions would be a problem of possible significance mostly in presidential elections, and to a smaller degree in state wide elections such as those for governer or US senator. The most likely offenders would be students who, due to great indignation some years past, were allowed to register and vote at their college or university while retaining their voting status at their former (and often summer) residence. I thought about doing that about 50 years ago, but decided against it. Since then it has become a bit more difficult as states have coordinated comparison of their voting lists
The Australian system does not seem notably more vulnerable to fraud, but does seem to depend on the voters trusting the election administrators rather more than is usual in the US.
Before retiring, one of my least favorite activities was sorting through the security issues from old, decrepit, and buggy versions of Java that vendors had bundled with their application. They typically promised to support only the version they bundled, and as we were a US DoD agency, we were required to have support for niceties like security issues. This was not a problem until a vendor's favorite java became an unsupported product, at which point we had to start writing POA&M or Acceptance of Risk documents about the Java that Sun or Oracle no longer supported. Sometimes we had four or five versions, of which two or three no longer had support. That left us in a bind: replacing the unsupported Java gave us an unsupported Java application. Explaining that to the CIO was not pleasant, who was extremely averse to signing an Acceptance of Risk.
Snap appears to be a codification into open source of this noxious practice.
The "Kneejerk" reaction seems to have been based quite solidly on a statement Omar Mateen gave, at about the time he began shooting, to "law enforcement officials about further carnage, [in which he] claimed allegiance to the Islamic State and praised the Boston Marathon bombers" (reported in the New York Times). It is not unreasonably called terrorism given the apparent ideological/political connection.
That said, there has been for years an unfortunate tendency to use the term "terrorism" in ways so vague as to make it useless in defining or describing anything.
Quite interestingly, the first paragraph of this post suggests strongly, although implicitly, that intellectual property and the various laws and behaviors that protect it generally act to retard progress. The Chinese, by their industry and use of knowledge and techniques some of which doubtless are claimed by someone as intellectual property, have enriched us all. Their consideration for the environment may be less than desirable, but that also was, and is, common in both developed and developing areas.
The federal government and some state governments have standard ways to determine sentencing of those convicted (or who confessed). Other state governments, in particular California, do not have uniform sentencing standards, leading to greater variability and occasional public outrage over sentences considered either too long or too short.
Paul Cassell, a former federal judge, wrote on this in the context of the Stanford case a few days ago in the Volokh Conspiracy blog. He noted that under federal law (on federal/non-state territory) Turner's conviction could have carried a life sentence, and federal sentencing guidelines are for 97 - 121 months imprisonment. He also links to a Washington Post article reporting that the average state sentence for a rape is 11 years
It may be the real lesson in this is that there is not a US system of justice, over 50 of them: 50 states, District of Columbia, Puerto Rico, various territories, federal, and military. There may be more. States are largely sovereign and likely to show a considerable range for any offense.
"[H]ow removing funds is better than just freezing accounts"
A bank is quite unlikely to freeze an account without a proper court order to do so and possibly concurrence of their internal legal office. Lots more paperwork, and much lower success probability than simple confiscation. And the skimmer is useful too, because the card contents don't become available automatically as does seized cash.
The immediate seizure process is so obviously in conflict with the fourth, fifth, and occasionally sixth amendments that it seems incomprehensible that it was not suppressed shortly after enactment.
In the past, courts have made irrelevant or improper orders, including warrants. There is no reason to think there won't be more issued in the future. Courts, being staffed by people, all imperfect, sometimes will make mistakes or be carried away by some enthusiasm and do things they should not. For that reason there are appellate courts, and the recipient of a court order normally would enter an appeal if he or she thought it invalid. As Apple did in the recent case of Syed Farook's county supplied iPhone.
National Security Letters are, and have been, abominations. Police, with possible exceptions for exigent circumstances similar to what they have for searches, should be required to obtain permission for metadata acquisition through a formally independent judicial process, as they do for telephone metadata or a pen register under Smith v Maryland.
In general it would be ordinary courts of first jurisdiction issuing search warrants, not the FISC, which has as it primary purpose oversight of foreign intelligence operations. The search warrant for Syed Farook's iPhone, as an example, was issued by a federal magistrate judge in California. The several hundred warrants the Manhattan DA would like help executing were issued by New York state courts and probably none relates to national security matters.
Feinstein and Burr's draft was flawed, but the intent behind it was in no way inherently inconsistent with the US Constitution and Bill of Rights.
It is not at all obvious that a requirement that a producer assist with search warrant execution, or even actually providing such assistance, would render its products unsalable. It seems likely that the producer least able to give effective assistance would experience increased demand, although I suspect that in many places, including the US, the difference would not be large.
The presumption that such a requirement would apply only in the US also is suspect. Law enforcement officials elsewhere certainly would like to be able to access smart phone and similar computer stored data. Indeed, there is no obvious reason to think such requirements are not already in place somewhere.
The courts would decide relevance and propriety, as they have done for the last 225 years in the US and longer than that, I think, in Britain. As they would in the case of the related search warrant.
A company might try for compensation of indirect costs. I do not think it likely they would succeed, but admit the possibility that I am mistaken in that.
Nothing very novel is involved here.
For now. All the government really needs is a law that requires companies to assist in executing relevant and proper court orders to the extent they can, with compensation for the direct cost of doing so. Depending on the outcome of pending appeals around use of the All Writs Act, they might not need even that.
There is absolutely no constitutional issue here, and any mention of either mass or other surveillance in this connection is misdirection.
The repetitious denigration of COBOL is both unwarranted and counterproductive. It is unwarranted because for many purposes (see the 'B' in the acronym) it is a perfectly good language, if more than a bit wordy, for representing and solving the problems in its domain. It is counterproductive because it is (or was the last time I saw any reports) still in use for a good deal of core financial and other data processing in the US and probably numerous other countries. The cost to reimplement such systems is enormous, and COBOL, like FORTRAN, is likely to remain widely used for quite a while going forward. Discouraging students from learning it, or removing from the CS curriculum, does not serve the students or their prospective future employers well. Competent programmers certainly can learn a new language at need, but prior knowledge cannot help but be beneficial all around.
My son, a system development supervisor, has said for years that all too many programmers lack a basic understanding of what the machine they are writing to is doing under the covers. I made the same observation during a stint in a developer technical support position about 25 years back. While for many purposes that is unimportant that lack can bite rather hard when an application fails to perform well enough and the customers are angry that they cannot do their work.
And here the general concepts ("big picture knowledge") do not help all that much. What is most useful is detailed knowledge of what the computer is doing, how (for example) a file is organized and what has to happen between the request for a record and its delivery to the program for processing, and maybe most useful, what can be done to adjust the operating system environment, the program, or both, to eliminate bottlenecks and delays.
On the face of the CFAA text (18 USC 1030) the restriction to SSAN only does not seem correct. However, the act appears not to apply in the case of an anonymous FTP server, as such things effectively authorize anyone to search and retrieve data within the limits otherwise set by the server's security environment.
Lack of a password is not an invitation for access.any more than is a port left open due to accidental firewall misconception.
That said, if the circumstances are as reported, Mr. Shafer should have a reasonable basis to sue based on unreasonableness of the search, and the federal agent who put his or her name on the affidavit seeking the search warrant* (and any supervisors who signed off on it) should be disciplined firmly, at least to the extend of losing a chunk of pay, as should whoever authorized a raid in the early morning. The issuing judge might have authorized speedy action to prevent destruction of evidence, but it is quite unlikely that the circumstances would warrant starting a surprise search before normal rising time or Shafer's reported (in Daily Dot) detention in handcuffs.
Warrants may sometimes be obtained fraudulently or through error. Judges generally are not in position to determine independently the truth of an affidavit and must rely on the honesty of the applicant and those who support the warrant application. None of them are likely to be pleased if a warrant is overturned after the fact because a search was determined later to have been objectively unreasonable and any evidence collected during the search is disallowed, along with other evidence to which it guided the way. That is not, of course a very satisfactory solution for those who, like Shafer, are on the receiving end, but may be the best possible given that criminal justice is administered by imperfect people with incomplete knowledge and sometimes impure motives.
And at the back of it all is the CFAA, which came out of the starting gate in need of major revision and has not improved with age.
* This assumes there was a warrant; if there wasn't, the government's (and agents') difficulties would properly be quite a bit larger.
If paid with a credit card, the card issuer might have provisions you can use to put pressure on Microsoft that they cannot ignore easily, like pulling back and returning your money to you. The one I use most often offers such a additional protection plan, although I never have had occasion to try it.
I do not know about California, but small claims courts in many states are suitable for claims at least as large as the machine cost. They generally do not require a lawyer, and sometimes are ignored by defendants (leading to a default judgment for the plaintiff), and their orders are quite enforceable.
From the description in the article, their refusal to refund based on the POS POS terminal system probably is rubbish and they probably know it. A letter from a lawyer pointing this out in some detail might move them to action.
As a (minor) Microsoft shareholder, I think they should make good on things like this without a lot of fuss. As nearly always is true in cases like this, failure to do so promptly and cheerfully will cost them more in the end, both money and good will.
@Ivan4:
My first question after seeing the headline on this article was "who is this plaintiff's lawyer billing."
Another alternative is that he is a lawyer, and hopes to promote this to class action status, and with that win a few pennies for each shareholder (including himself) and collect a truckload of money for himself as the lead attorney for the class.
That said, this suit might be a tad premature inasmuch as the alleged losses are, as yet, entirely hypothetical.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
