Posts by tom dial

Re: Echelon?

While the surprise and shock indeed is a bit difficult to understand or justify, Echelon's present analog appears to be XKeyscore rather than Prism, a facility for use in executing data retrieval based on warrants and subpoenas.

Re: Damned if they do, damned if they don't.

@John Smith 19

A better way to state the point would be that a random citizen is far more likely to suffer damage from a criminal than from misuse of information gathered by foreign intelligence agencies. That is especially true in the US due to the antiquated card systems and POS terminals in use, but I know no reason to thing the intelligence services in Australia, Canada, New Zealand, or the UK pose a measurable risk to randomly chosen citizens.

It is, of course, completely true that foreign intelligence agencies such as NSA are not purposed to reduce child porn or computer fraud. Indeed, the NSA is not tasked with a large role in identifying or preventing domestic terrorism, mainly a job of the FBI. I do not recall seeing it reported, but it would be unsurprising if the FBI could request queries of the NSA metadata databases.

Re: Tail wagging the dog.

"Three words: 'Bay of Pigs'". This is a particularly bad example, as the undertaking was known and approved by both President Eisenhower and President Kennedy. The CIA sponsors evidently were wrong in predicting success, but were operating with approval of their supervisory chain.

Re: To the first AC:

I. e., "the future will be like the past". That's one model, a really simple one, and maybe not the worst. The real questions are (a) has this occurred because we are burning the carbon based combustibles many orders of magnitude faster than the sun is remaking them; (b) if that is so, is there anything even remotely possible, politically, that would change it favorably; or (c) would it be better to try to anticipate and mitigate the effects?

Re: Good!

Good luck suing the US Government for money.

Re: Well, perhaps not all the tactics.

Schneier appears here to have been discussing hardware and software machine implants and techniques for capturing cell phone communications. Within the national boundaries, police (types) have been using similar techniques for a long time to bug machines (mostly with warrants), as have criminals. There are differences in detail, but nothing really all that new. They have no overwhelming need to build bogus cell towers, since they can obtain authorized access through the courts. Criminals may find it useful to emulate this, and with dozens of software defined radios priced in the under $1000 range it is doubtful that they will be as much as 3-5 years behind in that.

Re: Since when

And there are, of course, powerful incentives within the USPTO to approve patents applications rather than deny them.

Re: Pure BS of the finest quality

An upvote for the reminder that Dual_EC_DBRG was known for years to be a bit funny.

A few points, however:

- It's a fine point, to be sure, but there is not, as far as I have seen, proof that NSA knows the particular values that would make the generator an open book. It was known early on that the generator was biased, and that should have been enough to make anyone knowledgeable (like RSA, perhaps, or NIST) wary of using it. The Shumow and Ferguson paper showed that numbers exist that would make the DBRG predictable to one who knew them. They did not demonstrate a way to obtain them. I have seen no reports of evidence that NSA knows them, and don't know that the values are an automatic byproduct of, or even obtainable from, the construction method specified in Appendix A of the NIST recommendation, which might actually have been used to produce the publicly revealed constants.

- I was unwilling to cough up $100 to see the specified X9.62 standard, but anyone who was, or had access to an X9.62 validated generator could generate their own initial points and be free of the suspicion that NSA had the secret points that would break their generator.

I may be wrong in this. I am not an expert in the field, nor widely familiar with the published (or unpublished) literature; but then neither are the vast majority of those who have written or commented about this issue. That said, I would judge the claim that Dual_EC_DBRG was backdoored to be "not proved", along with the claim that RSA is guilty of accepting a bribe to include it.

Dual_EC_DBRG in its standard implementation is questionable for both bias and the possibility that NSA (or someone else) might have a back door, but an independently produced implementation using different constants might be free of those concerns. It does occur to me, however, that it may be difficult to pick initialization points for the algorithm to produce unbiased output: If it were easy, NSA surely would have done so, whether or not they were simultaneously creating a back door.

Re: Thanks

No, and again No. First, the market in document editors did not determine the success of Word. That largely was determined by the market in desktop operating systems, in which Microsoft had, and exploited, a near monopoly. Second, a government has, or is supposed to have, non-economic interests such as very long term support and transparency that may be as important or more so than any economic ones. The Magna Carta, or the U. S. Declaration of Independence/Constitution are readable now by people skilled in the language and writing of the time they were written, as we might wish for legal documents prepared now in machine readable form to be accessible 50 or 100 years in the future. There is more reason to be confident that that will be true if they are prepared in a format based on a transparent standard such as ODF than on one like OOXML that is translucent at best. My personal preference is UTF-8 done with a plain text editor for most official documents.

Re: The USPTO

Work rules:

Evaluate examiners on applications completed, keeping mindful that denying an application will likely lead to refiling with amendments, possibly many times. Of course, the application is incomplete until either the patent is granted or the applicant exhausts all options for amending it, something that might take years. An examiner who acts deliberately will act less quickly, receive a lower appraisal rating, be less likely to receive awards, pay raises, and promotions, and in the end, more likely to seek more rewarding and remunerative employment elsewhere. One who completes applications quickly after cursory review to ensure proper spelling and grammar will receive outstanding appraisals, performance awards, pay raises, and promotions. The "best" eventually will fill the top level executive positions. The USPTO is a bureaucracy, and Imhoff's Law applies.

Re: I am pleased

We in the U. S. have a nearly incomprehensible array of government entities. To begin with, there are the federal, state, county, and municipal governments, each somewhat independent of the others. But beyond that there are numerous "authorities" set up for special purposes, such as the recently (in)famous Port Authority of New York and New Jersey, or the less well known Ohio Turnpike Authority, established about 60 years ago to oversee construction and operation of the Ohio Turnpike until the 40 year construction bonds were paid up from the tolls charged (after which the tolls were to be eliminated. Still in business, it recently raised the toll rates substantially. If that were not enough, we also have aownship supervisors for unincorporated areas and a variety of semigovernmental committees to deal with issues like regional development promotion that are of interest to a number of government entities but not clearly the responsibility of any.

For those of us with certain attitudes it is an endless source of entertainment.

Re: Has ANYONE dared check in at a US airport ...

They might indeed. But would not the offense here be the "passing off", not the mere use of the logo? Even the U.S. law cited in the article conditions the offence on implying the endorsement of the NSA rather than the use as such. That might be unconstitutionally vague, but when, as in the Liberty Maniacs case, there is no question of agency endorsement, existing First Amendment law almost surely would end things. On the other hand, there probably is no problem making it illegal to pass oneself off as a government official, nor with putting in evidence that a copy or near copy of the agency logo was used in furtherance of an impersonation. But the offense would be the impersonation, not the use of a symbol.

Re: Enterprise software licensing is so much fun...

My conversation with an Oracle customer support representative several years ago about Oracle DBMS led me to conclude that they were happy to have the product downloaded and used for development on a single user machine but that anything beyond that would require purchase of some kind of license. Exploration of the meaning of "beyond that" yielded up that they would consider the following to be violations:

- installing and running the software for any purpose other than application and database development;

- running it for any purpose on a machine that would allow more than one concurrent user.

The context was that we would have liked to put it on a surplus HP 9000 for some skunkworks like development involving three or four developers; the answer was that they would expect about $30K to purchase and $10K annually for maintenance. We chose a different approach to the problem.

Peoplesoft licensing might differ but, knowing Oracle, I doubt it would be advantageous to users.

Re: Google worse than NSA

So you load (in the earlier post) all badness on the NSA when, as we in fact agree that the problem is much more complex.

I am less ignorant of U. S. history than you appear to think, but do not think the U. S. government has, operating internationally, behaved a great deal differently - either better or worse - from the average major power. That certainly includes a sizable share of the bad, and of the stupidly bad, nearly all of them initiated or sanctioned by our elected legislators and carried out more or less enthusiastically by the executive branch. And that was my point in a slightly later post: the NSA is not THE problem, nor is the CIA or FBI or any other executive branch agency.

The real problem is in the laws and policies that established these agencies and govern their operation. As shocking as they were to many, the documents Edward Snowden released, and the additional ones later declassified, indicate that, in the main, the NSA operated within its charter, reported on itself when it identified errors and abuse internally, and when chastised by the FISC on occasion for exceeding the limits of the laws and executive orders, they modified their programs in response. The documents also show that, allowing for 40 years of technology change, NSA operates now in nearly the same way it did before FISA enactment in 1978. They do not show an out of control agency that is making things up as it goes along. The situation with the CIA probably is similar: we know for sure that the President exercises personal control of drone assassination of U. S. citizens, and it is between probable and certain that all major CIA initiatives going back to the agency's beginnings were known at the time to the President, the cabinet, and at least selected legislators in both houses of Congress.

Indeed, many were widely known and supported by the Press and public opinion, at least early on. And that, I think, is a major part of the underlying problem. A poisonous combination of political and historical ignorance with periodic moral panics leads to atrocious public policy choices. During the last century or so we have had two Red Scares, a "fifth column" panic on the West coast at the start of WW II, anti-alcohol and several waves of anti-drug hysteria (and seem to be starting another even now), the Satanism and pornography panics, and the terrorism panic. From those, with enthusiastic support of much of the population, we have got a huge amount of criminal activity that extended into Canada, Mexico, and other Central and South American countries; four rather large undeclared wars, the most recent associated with renditions and officially sanctioned assassinations; internment without due process of more than 100,000 of Japanese origin, most of them U. S. born citizens; serious attempts to suppress First Amendment rights in the '50s, '60s, and '70s and questionable, if not illegal, collection of communication data since the 1940s. In addition, scores of people were jailed or blacklisted based on their leftish political leanings and quite a few others were convicted and given long sentences based on testimony from carefully indoctrinated small children about acts that were impossible or for which there was no corroborating evidence. Unfortunately for those who argue that the government and its various agencies aim to oppress us and become our rulers, most of this resulted, directly or indirectly, from legislative and executive actions taken with the support or acquiescence of a majority of the population.

And now we have yet another moral panic, about privacy. It is expressed at Google, Yahoo!, Facebook, and the like, who know mostly what we choose freely to let them know; and very slightly more recently, the NSA, which collects huge amounts of data about both U. S. residents and others. I suspect this will be merged to another budding panic, over theft of personal financial and credit information. This will result in many stern editorials, great stirring among the people, and demands that Something Be Done about it. Our dutiful legislators, having tested the wind direction, will comply as they did when the question was about Communism, drug addiction, or terrorism. I know no reason to believe that the results will be appreciably better.

Re: How about @HollyHopDrive

At a party in 1999 I was told by the deputy CIO of a regional (but growing) bank that their plans were to implement only browser based applications going forward and tp replace existing workstation based clients as quickly as possible. As he put it: "I don't want to be maintaining 3,000 desktops." I believe banks are not among the most adventuresome in deploying IT. Remote management software has been much improved since 1999 but the point remains valid. It sounds as if the UK NHS and its various components had no long-term plan for managing the application software that supports the medical staff and patients, and their plan, such as it is, is to continue to have no plan but to default to Microsoft.

One wonders whether the Linux path taken by Munich and by the larger French Gendarmerie might have been both possible and advantageous if initiated at the time the XP EOL was announced.

Re: "Mobile 'killswitch' mandate"

Perhaps you are not a "US Person" and so are led to understate our problem. Here, "the government" includes at least federal and state governments able to do serious mischief, and sometimes (e. g., New York) city or county governments as well. In this case, the California state government, pretending at sovereignty, proposes the ill-considered solution to what largely is a non-problem or at most an embellishment of an existing one. In this case as in many others, the government acts with the best of intentions, not a plan to harass and suppress the citizens.

Re: To get around the muzzling orders...

In the long run it is likely that intelligence services of various other countries, some operating under fewer constraints than the NSA, and the police agencies of those countries, will cooperate with US officials to deal with terrorism and criminal activity. As they have in the past.

Moving to the Principality of Sealand sounds interesting, but it is not clear why anyone would want to move to a place where there are no legal protections at all. My own inclination would be Iceland, with both reasonable laws and power availability.

Re: From Desert Fox to Desert Ox

Recalling that the NSA is in the Department of Defense I would not be so quick to dismiss military hackers' skills or intelligence. On the other hand, the idea that the DoD put out a cyber hit on Hastings almost certainly is paranoid fantasy.

Re: Not another NSA article

But, for those who didn't read the source document, the article referenced at footnote 32 on page 11 describes certain Internal Revenue Service capabilities and activities. While thinly sourced and quite vague (much like reports about the NSA), it suggests rather strongly that the NSA is not the only threat we Americans face from our government, and for nearly all of us it is a far more salient one.

Re: Wrong analogy

I am fairly libertarian by inclination, but the paranoid strain gets a bit tiresome after a while. Please provide the locations of your UK gulags as evidence of parity between the old USSR and the UK. As far as I am aware you are under far more surveillance in the UK than we in the US, but have not heard where you store your zeks.

Re: Great, so that means they're going to issue cryptographically signed releases as well, right?

Maybe the real tragedy is that Microsoft probably is quite correct in thinking this exercise will convince the marks of their purity.

Re: google site:microsoft.com

Thanks for the reference to "bing it on". Tried it, and it confirmed my previous evaluation. In this case, Google 3, Bing 0, Draw 2, generally in the range I've seen before. Having failed for years now to compete successfully, Microsoft engages its pet public interest group to lobby for hobbling the more successful search service.