Posts by tom dial 2187 publicly visible posts • joined 16 Jan 2011
OpenSSL may not be the only SSL implementation, but it is free (as in speech if not beer). Givien the difficulty of getting cryptographic implementations right it might be better to concentrate resources on implementing and making secure a single free implementation, whether OpenSSL, LibreSSL, or another, than to have competing implementations, each insecure in its own ways.
I think not. "Prices" associated with the goodies list will have been estimated to cover the full development and production cost over a rather small production run (go ahead, downvote, but these are mostly not mass produced items). The "purchases" will have been paid almost entirely with internal budget transfers - funny money - and billings adjusted at fiscal year end between managers to help them all stay within their piece of the DoD appropriation which, although secret as to its details, is set by the Congress and administered according to the same rules that apply to other agencies.
From further on in the linked article:
"[159] The Court must adapt to the reality of e-commerce with its potential for abuse by those who would take the property of others and sell it through the borderless electronic web of the internet. I conclude that an interim injunction should be granted compelling Google to block the defendants’ websites from Google’s search results worldwide. That order is necessary to preserve the Court’s process and to ensure that the defendants cannot continue to flout the Court’s orders."
Would it not be more sensible to require that the source of the "no longer relevant" data be compelled to restrict internet access to it? Would not the Google (and, one would assume, Yahoo, Bing, Duck Duck Go, and other index entries) then evaporate? Do the ECJ not have the stones to order something that might actually be a solution?
"[Data processors] have a duty to ensure that the data that they hold and process is accurate and up to date"
It does not seem that they were accused of failing to do that. The complaint appears to have been that they did, in fact, present an accurate and up to date extract of data found on La Vanguardia's web site describing the auction for back taxes of property owned by Mario Costeja González. The "problem" was not inaccuracy, but that it was old, and the subject didn't like it. The Spanish court, rather than take the sensible approach of ordering La Vanguardia to stop its continual republication or at least indicate to Google that it should not be indexed, instead ordered Google to make it less findable.
I did not read into the summaries I saw that Google would have to "forget" things in the US that were ordered "forgotten" in the EC. They might do that, out of convenience, my impression is that they do not have to. If the order was for world wide "forgetting" of "obsolete or no longer relevant" pages, it is as asinine as orders by US judges that purport to apply US law to internet activities outside the US.
The Arab Spring. Well, it hasn't worked out all that well for the Egyptians, Tunisians, or Syrians, to mention a few of the more populous countries, and the secondary fallout in places like Nigeria is unpleasant, to understate considerably. Havoc seems a reasonably appropriate description. The number of downvotes seems likely to be mainly a matter of giving the finger to the US.
In my experience, admittedly a bit limited, only a tiny fraction of "progressives" are able to understand, let alone actually handle, mathematics above the elementary school level. Coupled with the inability of nearly everyone to analyze and evaluate risks rationally, that leads to idiotic actions such as the article describes.
"Edward Snowden is not important. The information is important." Most of the information has been publicly available, with somewhat less detail, for years, and the activities described have been going on in various forms since before World War II. Books and articles have been written and published describing them. Bulk communication collection at places like Menwith Hill and the potential tracking use of cell phones (mentioned in a later post) are widely known for quite a while. Not much has happened.
So perhaps Edward Snowden actually is important. Perhaps, but the pace and degree of change underway suggest otherwise. "Reset the Net" might have an effect, but even with that skepticism is in order.
One of the article's points seems to have been that there is in the UK (and I would add, the US) what must be, to some, a fairly distressing lack of evidence that either government has attempted to emulate East Germany, let alone actually done so. That seem to be true also for the remaining Five Eyes, Germany, France, Sweden, and Israel, to mention some whose names have come up in a context of collecting telecommunications data.
All of these are stable democratic regimes with regular electoral options to change personnel in charge. They also have a comparatively free press to raise the alarm when the government steps out of bounds. The chance of anything like this uproar over government surveillance happening in East Germany would have been about zero, and I suspect it would not happen many other places today.
As one of the first posters noted, the risk seems not to be from present governments but from ones that might be installed in the future. In the countries named above, communication (and public video) surveillance or not, we voters will have ourselves to blame if that happens. It is well and good to talk of reforming the government's surveillance, although I haven't seen evidence that is likely to happen in the US, but it is a plain fact that a government intent on establishing a police state has little need for communication surveillance. As the East German experience demonstrates, it will not lack informants to provide it precise and timely information about dissidents.
In the US, law requires the government to offset the cost of satisfying its orders for production of customer data. That is not quite the same as the companies "stumbling over themselves to hand over our data in exchange for millions of pounds in cold, hard NSA/GCHQ cash."
The case in the UK might be different, but I would guess not.
But if the future is similar to the past, there will be no money left for NASA from any "peace dividend". Between 105% and 110% will be allocated to visible things to induce votes for incumbents. Martians, if any, do not vote in US elections. NASA, its dependents, and its employees and their dependents are few enough and scattered enough to be given low priority.
"Imagine if a small party ... started forcing through policies 'for the country's good'".
I imagine it would not be much of a barrier, or take very long, for them to build a surveillance structure from scratch if it did not already exist, and likely enough a better and more efficient one than any that may exist now. The apparently inexhaustible obsession with state surveillance misses the point.
The real problem is not the information as much as it is the government's operation. I do not see that the UK or US governments (or those of Canada, Australia, New Zealand and most of Europe) do anything significant to suppress opposition, despite having legal or extralegal access to a great deal of information about their citizens. Neither does any of them show much movement toward tyranny - The Guardian, Washington Post, and the Intercept still publish without reported interference, for example. In some other countries the citizens are not so fortunate, but the difference is not a function of the extent of communication surveillance.
"They who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety."
It would be nice if one of those who repeat the several versions of this would explain, in some detail, exactly whose essential Liberty is limited, and in what ways, by NSA's* collection and analysis of communication data. I would not want to argue that it appears likely to be effective or cannot be evaded with fair success, but the link to tyranny that more than a few seem to think obvious really is fairly tenuous. There quite a few tyrannies, after all, before the invention of the telegraph.
* As a representative example of the SIGINT agencies that exist in nearly every nation with a communication infrastructure of any size.
The governments of all the Five Eyes countries for the most part respect individual liberty, and will not be able, or even seriously attempt to prevent potential jihad participants from travelling to join extremist groups elsewhere. They are likely to be much more interested in keeping track of those travellers, especially those who return after a period. Even then, though, it is not necessarily effective, as indicated by the FBI investigation of Russian warnings about Tamerlan Tsarnaev, one of those believed to have committed the Boston Marathon bombing. While this has nothing to do with SIGINT agencies, it is suggestive of the diffidence of federal agencies in following up on nebulous information.
I'm not clear what lucki bstard meant by "US backe terrorist organization (ie IRA)". My recollection is that a number of US citizens and US residents of Irish origin were believed involved in raising funds an obtaining weapons for the IRA, and that some of them were arrested and charged with various crimes. It is not clear that this properly called US backing.
"[I]gnoring the fact that [the Internet] has been co-opted as a tool to [spy on people] is sheer folly."
As was the case with radio signals in the '50s - '80s (and forward - I think listening facilities at Menwith hill and Martinsburg, WV still are in business); and also with telephone/telegraph before that. The Authorities in all countries have used these facilities sometimes to spy, but none of them was developed for the purpose of doing so and claims to the contrary are rubbish.
I don't have to like some of the uses, and don't; and I don't have to think they are effective in accomplishing some of the stated purposes, and do not. I also do not have to fall mindlessly in line with the current moral panic and believe that communication surveillance is being used for general ill or that it adds materially to the powers that various government agencies already have, and always have had. And absent evidence, I will not.
It is curious that so many, when faced with what they consider gross government misconduct, having lost all trust in the government, still fall back on passage of laws to fence it in. Today is "Reset the Net" day, in which a number of organizations such as the Electronic Frontier Foundation and Free Software Foundation are pushing to get people to take care of themselves with things like PGP, Pidgin, TOR, and Cryptocat. It will be interesting to see how many go for that in place of the basically passive and trusting advocacy of laws that may constrain democratic governments but will do little to nothing to protect against either undemocratic regimes or criminals.
The ARPANET was intended to provide secure facilities (primarily against physical disruption) for DoD command and control in the event of war, particularly nuclear war. It meshed well with other activity, mostly academic, but some of it commercial in nature, that was going on at about the same time. Claims that it was developed in order to spy on the population at large is hopelessly paranoid nonsense, as is a sizable part of the contemporary material being written about the NSA, Five Eyes, and occasionally others.
@ Jim59
B, especially in view of the facts (1) that there seems to be no supporting evidence presented that the secret activities spawned actions to threaten the current largely democratic regime; and (2) the government has plenty of local actors available if they choose to become tyrannical and in consequence have little need or use for internal signals intelligence.
"The Secret State"? Presumably the book by Peter Hennessey; a reference would have been helpful.
ProtonMail may be good, but is new and untried (and temporarily deferring new accounts due to demand). It is not clear how (or if) they are solving the metadata problem, although they hint at it.
Presumably you mean steganography, the art of concealing a secret message in a plaintext one rather than stenography, the taking of shorthand dictation.
The IBM mainframe clocks from the 360 through at least the 3090 was a 64 bit binary number in which bit 56 was incremented every microsecond. If I recall correctly, they provided no guarantee about bits 57-63, but in any single system two successive reads were guaranteed to produce distinct values for bits 0-56 irrespective of the number of CPUs, and I believe this could be extended across all members of a sysplex. When set properly, a clock value of zero corresponded to the beginning of the 20th century. Any date produced internally was (or should have been) derived from this.
While government agencies, like private organizations, have retention policies, it is all but certain that NSA paused purging about June 2013 and extracted for indefinite retention anything they could reasonably associate with Edward Snowden including, amongst a great many other things, any email in which the metadata or content referred to him. How much of that they would be willing to release is uncertain, and Mr. Snowden should have had the presence of mind to retain his own copies of anything he might want to use later.
As those who read the published email exchange will have noticed, Snowden (a) did not raise in it an objection to any NSA program, and (b) sent himself a copy.
"more likely to raise flags if he tried to store emails from his own account"
I call BS on this; it doesn't even approach beginning to make sense. Retaining copies of questions raised to management would not have drawn nearly as much attention as if he actually had sent the messages. NSA appears to use Outlook, so it probably would have been trivial for Snowden to copy all of his .pst files "for backup" and similarly would raise little or no suspicion.
Like someone discovered Heartbleed or the Debian DRBG flaw in only a couple of years or so each. I used (and use) both, and strongly prefer FSF-type free software, but do not delude myself that it is perfect. There is no reason to think free (or open source) software, by virtue of being open source, is inherently more or less subject to implementation errors than proprietary software. Code reviews get skipped and testing left undone for both, and vulnerable programs are released. Open source code may be available for public review, but it is clear that the review is not always done successfully or timely.
"The code review is not there to ascertain that the cryptographic algorithms are any good." True, but it is there to ascertain whether the implementations are good. That would require skilled programmers who also know a good bit about cryptography and its implementation. TrueCrypt's algorithms are standard ones that have been analyzed in depth in other connections.
NSL? Not a user myself, I know one who is. From him, the earlier version of the web site, or Wikipedia I had the distinct impression that TrueCrypt was not developed in the US. Aside from that, the customary use of NSLs seems to be to require production of information without disclosure. It is unclear how that would be useful in the case of a software producer whose product is freely available in source code (presumably along with effective procedures for building the binaries). I never felt comfortable using it due to developer anonymity.
It seems possible, maybe even plausible, that one or more of the developers became aware of a compromise but did not, out of fear or for other reasons, wish to disclose that.
I don't know what might have motivated your downvote either; it seemed a clearly stated and as far as I know accurate description of some of the export control restrictions.
My question, partly rhetorical, was intended to point to the question of controls on the use of cryptography. PGP, upon a time, was illegal to export, despite being based on non-US cryptographic tools, but as far as I know was entirely legal for US residents to use, including in communicating with foreigners once the program was available elsewhere. Some countries (Wikipedia has a list) require licensing or otherwise restrict crypto systems; the US does not appear to do so, although it seems likely that if exchanging encrypted messages with the US government you would have to do ti their way, and there could be civil liability attached to using unapproved crypto if it turned out vulnerable.
For the US the black mark seems to be the Digital Millennium Copyright Act.
What US laws allow the government to exercise control over non-government cryptography? I don't mean to be snippy; however I am not aware of any such, although there may be legally established standards that companies are required to use to satisfy regulatory requirements or ensure against civil liability.
Apple's fan club would buy their product even if it were inferior to Samsung's, and Apple's haters would buy Samsung even if were inferior to Apple's. In fact I am extremely skeptical that actual people really decide which phone to rent based on the stupid patents at issue. The true damages that Apple suffered probably are in the range of +/- $10, irrespective of what the jury, a naive judge, or an expert judge might think. Each side will have produced their paid-for "experts" who produced numbers based on the assumptions they were told by their employer to make, and the jury probably split the difference based on which set of lawyers told the most convincing story.
A pox on them all.
While the NSA and similar agencies will have great difficulty breaking properly implemented cryptographic systems, the metadata is not encrypted and would retain considerable value. TOR can help there, but recent events related to drug trading and bitcoins used for that establish that it also is not perfect. The difficulty posed by cryptography also explains why a number of countries prohibit its use or require licensing or restrict it to approved cryptographic systems. A reasonably current list is available from Wikipedia.
The cryptography problem for intelligence agencies is, of course, the primary reason that the NSA and similar agencies devotes a good deal of effort to planting spyware or devices in targets' equipment, to researching weaknesses in cryptographic systems and their implementations.
It is fairly clear from the documents released that the the USNSA is subject to extensive and detailed oversight from its own internal controls, supervised by its legal staff and IG; from the Department of Justice, supervised by an assistant Attorney General; and from the Foreign Intelligence Surveillance Court, consisting of Federal judges assigned to the FISC in addition to their regular duties; and by committees and subcommittees of the Senate and House of Representatives. It is not obvious what additional oversight would be useful. You may mean that you think oversight is not public enough. Reasonable people may disagree about that, but it also is not obvious how to provide it more publicly without compromising the programs.
All in all there has been far too much rant and far too little careful analysis in the discussion of what all of the intelligence agencies do. This is egged on by sensationalistic and often biased reporting on documents that mostly were never intended to describe the programs they mention. Often the documents have been published only in part or worse, the news reports are based on documents "that have been seen" but are not made available for a reader to evaluate. The resulting moral panic is unlikely to have a good outcome in legislation or improvement of public trust of the government, despite the lack of evidence that the intelligence agencies are out of control and acting against the citizens.
For myself, I have some concern about the intelligence agencies, but more about inadequately supervised local and regional police departments' acquisition of heavy duty military equipment for SWAT use.
Where is the symmetry in this suggestion? You propose to gather and publish as much as possible. The NSA, while evidently collecting and possibly analyzing a great deal of data that could be linked to individuals, seems to have published little or none of it. This activity may be creepy, and certainly stirred up a lot of hate and discontent, but does not seem to have done much observable harm.
Indeed, the most compelling argument against the large scale metadata collection may be that it costs a lot of money and has produced little in the way of useful intelligence. The government, of course claims otherwise, but they cite only a few dozen cases, out of which I seem to recall that most involved foreigners acting (or conspiring) outside the US and many or most of the rest could have been handled with more targeted collection.
It is worth recalling that the USA PATRIOT act, which many of us thought ill-advised when it was passed, was meant partly to allow the government to collect and analyze more data and to share more of it sooner among the agencies with antiterrorism responsibilities. This unfortunate act was passed hastily by overwhelming majorities in both houses of Congress based on a belief widely shared in the population at large that the attack could have been prevented with the help of better intelligence and increased cooperation among intelligence agencies. It was enacted with too little public discussion and analysis at a time of widespread concern that other similar attacks were being planned, a concern that the later bombings in London and Madrid shows was warranted.
Well, now we think it went too far, don't much like it, and the Congress is considering legislation, in the form of the USA FREEDOM act to scale back data collection, for "US persons" at least. This is being done with as much haste and as little public discussion and analysis as the PATRIOT act. That didn't work out well then and probably won't now; following the next successful major terrorist attack on the US restraints on data collection will be quickly relaxed if it appears that there were unnoticed hints that, by hindsight, seem predictive of the event. The Congress and Executive branch need to take the time to do it right this time. Enough is known publicly now about some of these intelligence programs to allow much of that to be done publicly, and it should be to the extent possible.
Would not the obvious solution to Mario Costeja González's embarassment over having his house sold to satisfy a delinquent tax bill be to have the La Vanguardia Ediciones SL eliminate the article from its web site, or at least install a robot.txt file that would inform Google's crawler (and others) that the area should not be indexed? I have not heard of complaints that Google and other widely used indexers ignore those, and it would be reasonable to argue that to do so should be made unlawful ora cause for civil action.
As it is, information about Mr. Costeja Gonzalez's troubles now is far more available publicly than before, including from every major newspaper and news web site including, perhaps, The Register. Not good for him, although possibly OK for other, less well known, future petitioners.
There also would appear to be some law to be made around this decision, concerning the extent of the required web purge. Would search providers have to purge links to Maureen Dowd's column in this morning's New York Times, for instance
http://www.nytimes.com/2014/05/21/opinion/dowd-remember-to-forget.html?hp&rref=opinion
or to other articles that either the embarrassing sale or have links to it? Would the other individuals named Mario Costeja Gonzalez's have legal cause to complain if links referring to them were altered or removed accidentally? This is not made up: it appeared a few weeks ago that there are a number of distinct people with that name, some in South America; they are for now unfindable in the first 25 or so pages of Google search results.
The government is seriously interested in prosecuting Edward Snowden because his unauthorized release of large quantities of highly classified documents, which I expect they find damaging to programs they think important, not to mention that it was a major embarrassment. They - the executive branch and much of the legislative branch - have little interest in cutting these programs, as Presidential Policy Directive PPD-28 shows rather clearly.
There is no evidence that the NSA or its other Five Eyes counterparts operated without controls; indeed, many of the documents released describe the controls in great detail and indicate that the NSA had internal controls and reporting procedures that raised instances of questionable behavior to the Attorney General or FISC.
Those who, for whatever reason, wish to delude themselves that we are seeing a malevolent out-of-control secret government "drunk on its own power" that "infected those in power who were supposed to be overseeing them" certainly may do so. The problem, however, is either much more or much less serious. Either the government, with the help of the DHS, FBI, CIA, NSA, and assorted other military and civilian agencies is bent on enslaving us all using the laws the Congress passed and programs over which it exercises general supervision; or it is not. Given the fact that somewhere between most and all of the programs disclosed have been running for years to decades with no noticeable evidence of an emerging tyranny, I am cautiously optimistic. We are right to be concerned about potential misuse of government surveillance and right to try to install controls that we think will keep it from being misused. In the end, however, it is not the surveillance that will oppress but those we authorize to use force to maintain order; and if they go wrong they will have little need of mass surveillance, however useful they might find it.
I can't see the article really tells us much beyond that the foreign intelligence services, exemplified by the NSA (with a brief nod to the Australian DSD) are doing pretty much what we would expect of them, pretty much what they were (and still are) doing with radio signals before the explosion of undersea fiber, and with no indication at all that the results are being used politically.
On a quick first read the abominably formatted Presidential Policy Directive referenced here appears to add no significant constraints on the collection or management of communication to those that are already required and about which there is much agitation.
For $51m over 8 years, at normal contractor rates, General Dynamics really will not be doing all that much. By my crude reckoningthat will rent a staff of no more than about 75 people, on the unlikely assumption that they don't have to supply any equipment, space, or office supplies.
The number sounds a lot bigger than it is.
" If China were a civilised state, those people would be found guilty in China and duly prosecuted."
First, China is, and for about 4000 years has been, a civilised state by whatever were the contemporary standards of civilisation.
Second, the accused are Chinese military personnel and rather unlikely to be tried under Chinese law for acts that probably were no more illegal there than Five Eyes foreign intelligence activity is under applicable laws in Australia, Canada, NewU Zealand, UK, and US. This is little more than a public shaming effort.
If the only thing happening were flashing with dodgy firmware there would be no need to open the box and the suggested procedure would be helpful and possibly curative. But the claim, as I recall it from a couple of months ago, was that NSA intercepted some kit destined for overseas purchasers and made hardware modifications to create back doors that could be exploited as part of their Tailored Access Operations. It is doubtful that they would do this very often given the hands on labor involved. That that such a claim is made suggests that the manufacturers themselves might be clean (other, of course, than providing out-of-band management ports that some might consider back doors and that might be usable as such given cooperation of the owner or vulnerability of the owners OOB network).
It appears the US government is charging five individuals, presumably named or otherwise identified, with specific offenses against named victims. It does not appear they are charging the Chinese government as such. That differs a bit from a general accusation of spying, not that there isn't likely plenty of that done by most governments that have any capability at all.
If I recall correctly Google and Oracle could not come to terms on the details, Google wanting more than the semi-crippled Java ME but less than the full Java system. Groklaw should still have the details although, sadly, it will no longer be available to report on the followup.
No. It appears to mean Oracle gets to pick and choose who they will allow - or charge - to implement a proper subset of the APIs. The full API set is covered by the GPL, so IBM's implementation (and OpenJDK) probably are OK.
Google might want to implement the remainder of the API for Android and get shut of Oracle. It might slightly burden Android phones, but to the extent the additional APIs are unused it would not be noticeable in operation. On the whole, though, I would much rather see them push further appeals to try to get a final and definitive ruling that APIs are not subject to copyright (or patent).
Unfortunately, paying them by the application (nearer, I think, to the actual case) would be little better than paying by the patent approval. Patent examiners can be much more "productive", and accordingly earn better performance ratings, awards, and promotions by approving applications. Disapproval is likely to bring the applicant back as many times as it takes to modify the application so as to obtain approval, thus slowing the process down. Approval is quicker and easier, so patent office action would be biased that way even if payment were based on total throughput.
It would be better to fund based on disapprovals, perhaps also returning the application fee to those who are granted a patent and charging a new fee for each amended application.
Indeed, one of NSA's two primary missions is to promote information assurance within the US, as its other is to engage in signals intelligence collection and dissemination, including undermining or subverting information assurance activities of most or all other nations. They do not differ in this respect from signals intelligence agencies in other countries.
Clearly, there is some tension between the two missions, especially in the area of software and hardware vulnerabilities and those are resolved in some fashion by agency management, probably not always for the best. The article (and the Aljazeera source) report, with a quite negative slant, that one way involves coordinating and assisting development of commercial IA programs. While it may be justified to criticize NSA if it can be shown to have misguided the companies, neither article makes such a claim. Based on the email messages Aljazeera obtained by FOIA request and published, it is hard to justify attacking Google or others for participating in the briefing or for cooperating with each other and NSA to improve security.
Trenton = Daniel Trenton Kreuger, Knight = Nicholas Paul Knight. The Department of Justice press release, with additional information including a list of (some of?) their targets, is at:
http://www.justice.gov/usao/okn/news/2014/teamdigi7al0505.html
The "out of boredom" comment was from Kreuger, the community college student, rather than Knight, the Navy system administrator.
I am neither Canadian nor a lawyer, but it appears on reading that PIPEDA applies in the private sector and defers matters relating to government data collection to the Privacy Act. The latter appears to have loopholes large and numerous enough to accommodate a broad range of activities, conceivably including the kinds of activity we have come to expect of signals intelligence agencies. In particular, it is not obvious that collecting, e. g., telephone and email metadata, or internet search data, would be restricted. Subparagraphs c and d in the definition of personal information might not be enough, depending on the interpretation of "identifying number" or "address". The section on "Exemptions" (to disclosure), too, covers a lot of territory, including information received in confidence from foreign governments and international organizations of states and their institutions as well as that accumulated in conjunction with investigations of illegal activity or national security threats.
Again, I am not a lawyer, and case law based on the Privacy Act and other related legislation may tightly constrain what intelligence agencies may do, although I would expect things to far more settled in matters of police activity. In the end, however, much depends on how government officials behave in practice, whether they can be (and are) trusted to behave well, and whether there are adequate controls on their misbehavior. The Canadian Privacy Commissioner appears to be important, and hopefully is more active and effective than its US counterpart has been.
Enough hyperventilation. The only way Google will "[drive] away other manufacturers from the premium segment" is by offering a product that more people want to buy. That is something where Samsung, in particular but not alone, has a lot of experience and success. Google is not the epitome of evil and in the cell phone industry is a latecomer and relative pipsqueak. It is likely to find a niche, but whether at a profit is uncertain and it is unlikely they can dominate.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
