Posts by tom dial 2187 publicly visible posts • joined 16 Jan 2011
in other words, someone else's privacy is fair game as long as you agree with the purpose for violating it, as stated by a trustworthy data custodian like Microsoft or Google. Presumably the NSA and GCHQ then would be OK if they simply looked for and reported those who exchange kiddie porn, keeping mindful that to do that they would have to scan everything they could get their hands on and decrypt what they could.
There may be other and more shocking documents yet to come, but the one so far shown on the Firstlook web site is pretty much a bore.
A quick scan of the Intercept article suggests that a majority of the nearly 700K TIDE listees are not US people. The one document referenced in that article suggests the number of US citizens or residents probably is in the order of 10,000, or roughly 3/1000 of one per cent of the population. I made no effort to add up the numbers, which probably would not be meaningful anyhow, as the referenced document is a typically turgid bureaucratic self congratulation such as all federal agencies prepare near the end of the fiscal year. This is done so that their bosses, who receive the report, can attach it to their annual list of accomplishments. I saw, and was required to provide "input" to more than a few such documents in 40 years of federal employment.
Iit is indeed inexcusable that so many sites fail to sanitize their input, but it would be of interest to know how many of the claimed 420,000 from which data was pilfered failed to salt and hash the passwords. Their developers warrant far harsher treatment than those who only were sloppy about input editing.
I had a similar experience (Amazon Prime, Comcast) a few days ago. At the same time, my local link showed low latency and about 50 megabits/second down, 10+ up. I suspect there might be issues related to Amazon's willingness to purchase enough capacity at their end or Comcast's connection to whatever their connection is to Amazon's servers. The other alternative is poor performance on my wlan due to the large number of neighborhood systems, some as strong as mine.
That said, competition is a Good Thing and we look forward with eagerness to the possibility that Google will bring it to us in Salt Lake City (suburbs - Xmission already provides gigabit service in some parts of the metropolitan area, I think).
Google, Amazon, Apple, and others may not (at present) have had a similar warrant delivered to them and would be without standing in a court. It is not impossible that one or more of them has filed an Amicus brief, however; the article did not say one way or the other.
The Internet was not designed for (or against) security. Accordingly, it is incumbent on those with a great interest in privacy of the communications they pass on the Internet to provide their own. For most of us, most of the time, the imitation privacy that goes with "not of interest to any but the communicating individuals" together with "mixed in with a great bunch of other trash" is sufficient, at least judging by the widespread failure to incur the additional cost of bothering with encryption. Using commercial services leaves one exposed to the risks that someone will snatch the messages in transmission (possibly assisted by broken SSL - including compromised certificates) or from the servers (possibly by breaking any storage encryption or compelling production using legal process). The closest thing to a guarantee of privacy is end-to-end encryption using the likes of (Open)PGP. Even that, of course, is subject to the risk that the originating or destination computer is compromised, possibly by a government agency but more likely by a criminal organisation.
Microsoft (Azure) T&Cs allow users to limit storage by geographical area (e. g., European, Asian, American), with some exceptions; and like all or nearly all companies, their privacy rules have a law enforcement exception. Within an area, or within the world if the customer fails to limit to a geographical area, Microsoft can move the data around as it sees fit.
I've never been a fan of "the cloud", but can't see there is a good reason not to store arbitrary data there, provided you encrypt on your premises and before transmission any data you would not want to post on a publicly accessible web page. Processing in the cloud is a different matter, as it involves outsourcing your security, accepting the associated risk, which may be either greater or less than the risk of doing it on your own.
There seems to be quite a bit of conflation in this thread about legal process and espionage, the latter being generally illegal in the target country while possibly legal in the one doing the spying. A foreign government official, including a head of state (like Ms. Merkel) could be an espionage target for various reasons, but it is unlikely that a US judge would issue a warrant to compel production of their communications. I do not think it is impossible, though, and there might be circumstances in which a warrant for communications would result in production of government officials' communications even when the target is not an official.
"So what is stopping us?"
Near terminal laziness, starting with use of webmail, for which decent end to end encryption still is somewhere between nonexistent and seriously deficient.
"How bad does it have to get?"
For nearly all people, it will have to appear to be a lot worse than it does now, even in the mild state of moral panic in which we now find ourselves. And those who actually need end to end encryption probably are using it already, which explains the intelligence agencies' interest in communication metadata.
For the reasons Mr. Pott cites, there will be no US law requiring that a company with a US presence must make its data available to the US government. On the other hand, the recently enacted UK Drip Act appears to go a few steps in that direction without triggering mass flight of businesses from there.
This case is not about an unrestricted requirement for US businesses to give up data held in foreign data centers on request of nosy government officials, or without a warrant. That would be a matter for the NSA, if anyone. It is, instead, about a warrant issued, in a criminal inquiry, by a federal judge with a passing knowledge, at least, of legal procedures and the fourth amendment. The decision, as the article pointed out, does not appear to set a precedent. The process of obtaining a warrant may present a low bar, as some of the FISA orders indicate, but it still interposes some procedural requirements and judicial review.
A bit over the top on both sides. The US government won't do that (it would piss off too many Americans) and the US economy would not collapse if all non-US Microsoft/Google/Amazon etc. customers abandoned them (assuming they all could find alternatives that met their requirements).
And we are, after all, apparently talking about execution of a warrant in a criminal investigation.
By all means, tie up Google and bring it down to the mediocre level of Yahoo! and Bing. That way all can suffer equally poor search results rather than being compelled to choose a provider. The obvious solution is to compel all DNS providers (at least in Europe) to randomly return an IP address for yahoo, bing, or google when the target is "google".
And why should we wish to use TrueCrypt, given the statement "WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues" on the truecrypt web site, along with the accompanying statement that development and maintenance have been discontinued?
Encryption is a useful tool, but using unmaintained products from anonymous producers (therefore of unknown trustworthiness) would not be my first choice.
The Constitution of 1787 provided in Article I Section IX, that "importation of such Persons as any of the States now existing shall think proper to admit, shall not be prohibited by the Congress prior to the Year one thousand eight hundred and eight" and allowed the Congress to impose an import tax of up to $10 for each such person.
That does not quite constitute abolishing slave importation in the Constitution, however much it may be a signal that the tide had begun to turn against the slave owners.
In addition to the British ending their part of the slave trade, in 1807, importation of slaves was banned in the US in 1808, the earliest possible time under the set of compromises that allowed acceptance of the Constitution. The fact of the compromises indicates that slavery was recognized, by many in America, as the abomination that it was a generation earlier.
Although it's a bit late for finger pointing, the English did, beginning in 1652, participate with some degree of enthusiasm in the transatlantic slave trade.
"Posted anonymously because they 'know' and you probably work for them with an astroturfer's comment like what you posted."
Anonymous is pointless in this, as it probably is in all other forums. You are linked in the Reg database to your anonymous posts, as you will see if you review your past posts. And, as everyone knows, GCHQ has it if they want.
Posted with identiy because they know anyhow and it makes me think before submitting.
"[B]roader cryptographic community are really just amateur wannabes" once was substantially correct. That is no longer the case. There are increasing numbers of competent cryptographers in academia and the private sector, although intelligence agencies like NSA and GCHQ almost certainly are among the best if not the best sources of cryptographic expertise.
Actuially, it would make little or no difference, for at least two reasons.
First, the accuracy of any poll in which respondents select themselves is quite low to begin with, and any intervention by the various agencies is very unlikely to affect meaningful opinion measurements, as such polls usually do not produce any.
Second, polls - well-done or not - mostly reflect opinion. Evidence that the announced results drive opinion is somewhere between nonexistent and weak. There probably is a small effect at the margins, but not enough to matter much.
The most productive use for poll-fiddling might be to bend them toward results that show (a) a need for more agency funding and (b) that most of the people are not all that uncomfortable with agency activities. My guess, notwithstanding all the furor, is that (b) is not far from the truth anyhow.
I wonder if decrypting 256 bit AES would be faster than I can read the decrypted output; and also whether the time taken to encrypt really matters as long as it happens in less than minutes. And I wonder what the answers would be if the computer were restricted to an 8086.
A fuller statement of the relevant part of the Fourteenth Amendment is this:
"No State shall make or enforce any law which shall abridge the privileges or immunities of citizens of the United States; nor shall any State deprive any person of life, liberty, or property, without due process of law; nor deny to any person within its jurisdiction the equal protection of the laws."
The amendment appears to constrain State, but not federal, laws. It is silent about whether federal law such as that proposed may apply differently to citizens and non-citizens. That does not mean CISA is a good idea; it is not. The Constitution permits a great many things that are not very bright.
This post is, perhaps, correct in some sense but there are a few questions worth considering.
First, is there a reason to care whether an NSA (or CSEC, GCHQ, ASD, GCSB or, indeed, any other signals intelligence agency) would care about your business or would be in position to harm you or a business you operate? While that might seem too much like "if you have nothing to hide you have nothing to fear", it is part of the task of evaluating risk. In the US, illegally obtained evidence is likely to be excluded by a judge, and that would, possibly with additional legal arguments probably extend to information obtained using warrants issued based on illegally obtained communication intelligence. The other Five Eyes nations, and most others we generally think of as democratic probably are similar.
Second, is data you hold a target for criminals wishing to exploit it (Target, for instance), or competitors? For both questions, what is the probable cost in recovery efforts or lost business? Are there other risks to evaluate?
Third, will changing to a different provider or doing the work in house reduce exposure overall, and at what cost? What are the appropriate mitigations, such as link or disk encryption?
The answers will vary, depending on numerous details, but for most people, and most businesses, most of the time, action by one's own government is unlikely to be the most important risk. My own preference is to store all of my data on my equipment, on my premises, under my direct control; and except for google backup of my cell phone, which contains no data I think important, I do that. But II do it more to try to protect the personal credit and other personal financial information than to guard against the government (in my case, the FBI or NSA).
It is not entirely clear how the activity described is beneficial to the public. Public benefit would be maximized by fully disclosing the patent to everyone for immediate free use by anyone. Issue of the patent, as was recognized by the authors of the US Constitution, is a way of rewarding the clever inventor by allowing part of the public benefit to be converted to private benefit. The temporary monopolies that patents grant were thought to be undesirable, but offset by the public benefit of public disclosure that allowed others to extend and improve technology. That may be so in the case where the alternative is keeping trade secrets. In the case of enterprises whose sole or primary business is extracting monopoly rents using purchased patents (or even patents on its own inventions) it is very unlikely to be true.
Well, the NSA and its predecessor agencies have been doing pretty much what they are doing now, and sometimes more intrusively*, for at about 75 years. Its Five Eyes associates, and signals intelligence agencies of other democratic nations such as France, Germany, Sweden, Israel, and others probably have been doing much the same for about the same period. Mission creep, if there were any, should be apparent by now.
* SHAMROCK and MINARET, for example.
"You want to spy, you spy legally."
You cannot mean this to be taken seriously. Depending on the point of view, NSA's activities are either legal (under US law, and subject to future determinations about legality and about the constitutionality of the enabling laws) or illegal (under the laws of the countries in which the targets are located). That is equally true, with obvious adjustments, for the comparable spying done by intelligence agencies of other nations.
While mainframe security is baked into the Authorized Program Facility for privileged programs, the primary factor in overall security is in System Authorization Facility exit to the add-ons that provide Mandatory Access Control. The MAC products are optional, and may be either from IBM (RACF) or others (Top Secret, ACF-2 being the primary ones), and are analogous to SELinux or, I think, Grsecurity or AppArmor). Linux with SELinux probably is on a par with a z12 and RACF for security purposes.
"This strange doctrine" now is supported by both statute and Supreme Court decision. The remaining part of the quote - "Neither individuals nor corporations have any right to come into court and ask that the clock of history be stopped, or turned back" - is morally correct but has been overridden by the legislature and the courts.
Aereo was, indeed, attempting to skirt the 1976 changes that imposed fees on cable company redistribution of broadcast material. The plan was reasonably clever, fairly persuasive, and at least one judge found it lawful. Now the Supreme court has found that under that law Aereo, like the cable operators, is required to pay broadcasters for the benefits they bring to the broadcasters in the way of improved signal availability and added features.
The proper correction is for consumers to interest their Senators and Representatives in correcting this and other obvious flaws in the copyright laws, by indicating to them that it will influence their vote in the next election. It almost certainly won't happen, though, as this is one of those cases where a great many people pay a small amount each (and so care little) for the large benefit of a few (who care much and are willing to lobby and litigate extensively to attain their goals).
I would say that if you are being arrested there is no reason the police should not seize your phone or other storage device, but they should be required to obtain a warrant before looking at the contents. Otherwise, I see no reason for the large number of negative votes.
Incorrect to the extent that searching a portable storage device (one's "effects", perhaps?) should require a warrant whether it has technical protection or not, just as would be true of a residence. If the arresting officers think a phone is worthy of search, all they need do is remove the battery or drop it into a Faraday bag (or simply wrap it tightly in aluminum foil) and seek out a pliant judge. There will of course, be exigent circumstances, but they should be rare exceptions to the rule.
Earning is a distinctly imperfect proxy for intelligence. Of the many reasons that individuals have different incomes, intelligence is one. Others include personal choice of occupation, education and its availability, obligations assumed, e. g., to care for spouse, siblings, or parents, various kinds of discrimination (favorable and unfavorable), ambition (or its lack), luck, and doubtless others.
And while the genetic component of intelligence appears to be rather high, IQ, which is the basis for most studies that reach this conclusion, does not by quite a ways measure everything we can reasonably think part of "intelligence".
The point about uncoolness of eduction is well taken, but over the first 20 or 30 years of adulthood might not correlate well with either intelligence or economic success.
In fact, most of the "revelations", at least those that bear on civil liberties both in and out of the US, were tolerably well known to those with any interest no later than 2006 or 2007. Many of the programs were known by name, and it was widely assumed that NSA's Utah data center had the purpose of storing "all" communications despite the manifest impossibility of that.
What Snowden did, like it or not, was arrange for mass media publication of this information, largely in the form of PowerPoint presentations that at best provided little information about the programs' structure and operation but generated and fanned a moral panic. It probably has not done great damage to national security, but certainly has enhanced general distrust of government motives and activities that already was substantial due to previous missteps dating back two or more decades.
Downvoted.
Specific genetic disorders excepted, there is no real evidence that the less well-off whom you assume to be of below standard intelligence have children inherently less intelligent than the successful and well-off of whom you assume high intelligence.
And clearly worth another few downvotes for "Snowjob", "sheeple", and similar.
There is no evidence of any consequence in the documents released either by Edward Snowden or later by the U. S. government that the NSA thinks it is above the law. Taken as a whole they reveal extensive surveillance programs, some of them applied to domestic communications, that in addition to being approved within by the agency's legal counsel were approved by the Department of Justice (and presumably, in general terms, by the President). The programs were held by the FISC to be lawful in most cases, and appear to have been terminated or modified when not. Program operation, including errors and excesses, were reported regularly to the DoJ and FISC.
In the search for bad guys we have tended to narrow the search rather too early and too much. To the extent there is a problem, it affects a major part of the Executive branch, a rotating and rather extensive group of Federal judges who serve on the FISC and its appeals court as additional duty. And that is before even considering the Legislative branch, which passed and re-passed the enabling laws. Whether they did so unknowingly, as some of the members now claim is largely immaterial, although I respect them less, as such statements show rather clearly that they were insufficiently attentive to their proper duties.
Last, of course, are the voters who elected both the President and the legislators, mainly on the basis of largely hollow promises to distribute benefits to all. And the voters are the same, more or less, as those who cheerfully share their personal information with Google, Facebook, Bing, Yahoo, Twitter, and other social media sites.
Things may be different in the UK with GCHQ, but aside from relatively inconsequential details I rather doubt it.
FIPS 140-2 refers to validation of cryptographic modules. Unauthorized use of creds has nothing to do with cryptography, although how the creds were obtained might.
For what it's worth, the OpenSSL FIPS object module (OpenSSL was mentioned in the article, but only in speculation) has been FIPS 140 validated for several years (most recently on 12/20/2013) at 140-2, when built, deployed, and used according to a precise recipe. When I last looked, it was the only cryptographic module validated in the form of source code. One may reasonably conclude that (1) validation of cryptographic functions does not guarantee there are no bugs; and (2) cryptography is a necessary part of overall security, but far from a sufficient one.
In all likelihood, insider threats, whether malicious or accidental, still are the most likely to become problems.
The article said it was Heartbleed, but offered no evidence whatever, only a "purported" connection together with conjecture and a somewhat misleading description of the Heartbleed vulnerability. The source linked,
http://www.postonline.co.uk/post/news/2349943/aviva-mobile-phones-hit-by-in-third-party-cyber-attack
does not mention Heartbleed. The only indication of a connection between this event and the Heartbleed OpenSSL vulnerability appears to be "hart bled" in the text message pictured. So it is entirely appropriate to question how the access was made and how any necessary credentials might have been obtained.
All internet corporates - except those which actually are publishing the content someone found objectionable.
It is not clear why Google (or Bing, Yahoo, ...) should be in the position of adjudicating controversies about claims that indexed information (a) refers to the petitioner, (b) harms them unfairly, and (c) does not serve a public or comparably privileged private interest by virtue of its availability. They, all of them, should defer to the courts or relevant data commissioner.
No. Google* is not the U. S. government, and is not constitutionally constrained as to what it may choose to index, or not. The Constitution limits what the government may do, as, for instance, in telling Google* what it may not make available. Google* could censor in the U. S. pretty much whatever it chose.
On the other hand, Google has been sued, and various government actors in the EU have taken it to task for details in presentation that the plaintiffs considered "unfair" largely because their websites were displayed less prominently than they wished.
Upvoted for the main point, though.
* To be understood as "Google, Bing, Yahoo, DuckDuckGo and other less prominent search operators".
The main problem with this, of course, is that the NSA, with exceptions that are minor in relation to the overall programs it operates, is not breaking the law. It is a perfectly tenable position to argue that the law should be held unconstitutional, but it has not. It also is perfectly tenable to argue that even if the law is not held unconstitutional (and that appears possible) it should be changed to agree better with what we think the law should be, perhaps on the basis that the programs now in operation are unnecessarily intrusive and have not, after somewhere between 10 and 75 years, shown that they have benefits consistent with their costs. The Constitution limits what the government may do, but there is no requirement that the laws permit everything within those limits.
There is no evidence at all for this claim. At the worst one might argue thatt the NSA is part of a conspiracy with, in addition, the Secretary of Defense, the Attorney General, a quite a few federal judges, the intelligence committees of both the Senate and the House of Representatives, and a large number of military and civilian employees in the Executive and Legislative branches of the federal government. All of them are in it up to their necks, whatever "it" might actually be.
One reasonably certain thing about the DoD appropriation bill is that the President will sign whatever the Congress finally agrees on, whether it contains this amendment, a weaker/stronger version, or none at all.
Another fairly certain thing about it is that it won't get much in the way of anything anyone in the above conspiracy thinks essential, especially with the exceptions of paragraph b and the CALEA exception in paragraph d.
(The text can be found by searching H5544 in
https://beta.congress.gov/amendment/113th-congress/house-amendment/935/text)
My conclusion is that the numerous representatives voting for it probably in many cases had a pretty good idea of the state of government electronic surveillance, and should have if they did not, now sense it is unpopular and are currying favor with the voters back home. And the EFF and similar organizations are appropriately happy to have a little something to write up in their donation appeals.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
