Posts by Pseu Donyme

re: US connections, relative lack of

http://www.newyorker.com/news/john-cassidy/panama-papers-why-arent-there-more-american-names

>Okay, who called this off?

A possibility is that both Apple and FBI did i.e. there was an agreement behind the scenes to Apple to continue unlocking its devices as it has until recently and the FBI to back off from the court case with a mealymouthed explanation: stakes were high for both and the outcome was unpredictable (not only from the courts, but potentially from the legislators as well). I suppose this is unlikely and I would like to think better of Apple*, but then they were among the other prominent US tech corps on the PRISM slides courtesy of Ed Snowden. Also, in this case Apple seems to have found its zeal for privacy advocacy only after asking the FBI to issue its application for the unlock tool under seal**.

* a trivial reason being that I'd like to eventually replace my Blackberry with something decent, privacywise, of course it is great to see a big tech player putting emphasis on privacy, but then doubt towards tech from the US is not without reason

** http://www.nytimes.com/2016/02/19/technology/how-tim-cook-became-a-bulwark-for-digital-privacy.html

Re: Fix

Indeed. As far as I can see a stock market would work perfectly well if the highest bids were matched with the lowest asks (where bid >= ask, of course) at the end of the day and where the price paid would be the mean of the two ((bid+ask)/2) for each match: after all, stock markets are closed overnight and during weekends so the need to have a current price by the nanosecond simply isn't there. (The bids and asks should also either be final (no canceling) and/or only published at the end of the day after the trades are final to further avoid manipulation.)

(re: free market, a bit of an oxymoron, really, as anything free in the sense of lacking enforced rules ceases to be a market in a practically useful sense. A fair market, in the sense of a level playing field, would seem like a more pragmatic goal.)

Re: @ Pseu Donyme

> How do you come to that conclusion? The SCOTUS ...

While a pragmatic summary of the Citizens United decision might be "money = speech" it is still not "code = speech". Also, Citizens United was in the context of campaign (advertising) financing intimately tied to political speech, whereas Apple's 'speech' here is software i.e. algorithms for computers to carry out, not disseminating and/or discussing facts and opinions between people. (Also, the crux of Citizens United was elsewhere: whether campaign financing may give rise to corruption or the appearance thereof. The implausible finding was that it doesn't )

I'm mystified, ...

...deeply mystified as to what a terrorist could possibly have against the local building society.

Re: bollocks this is not about personal data

>There is no 'personal data' in search results as personal data is currently defined.

The US definition of PII is rather narrow (~data from which an individual can be directly identified such as a name, SSN, phone number ...), however, the EU data protection directive definition of personal data is much wider (~data about a person, even if it doesn't directly identify a person, but can potentially be connected to a person by a third party). Still, I can't see how a search by a person's name could be carried out and the results displayed in the US without exporting the name from a server in the EU at some point, if that is where the information related to the name originally resides.

Re: Ad-blockers are a Mafia-style 'protection racket

Advertising itself is a protection racket in that it provides only a relative advantage: if you were the only one to advertise there would an advantage to competion, when everyone does there is just a cost (ultimately paid by the costomers, of course).

Re: "What, you mean that this wasn't written by script kiddies?"

> ... those in power would understand things like math ...

The Guardian piece linked to would seem to say that WhatsApp has simply ignored the Brazilian requests: "Investigators first contacted WhatsApp, which was bought by Facebook in 2014, about four months ago but have yet to receive a response". If so, the fault lies with WhatsApp / Facebook not the judge's understanding IT issues. Also, the detained executive seems to have gotten out on a legal technicality: "A judge ruled he was wrongly detained because he was not named personally in the legal proceedings".

Methinks directors should be personally liable for ICO fines in case a LLC fails to pay them for any reason (unless, of course, they go to court to argue otherwise and the court finds in their favor).

Re: One thing I don't understand

@Steve Todd, the way I have understood it, there is a 256-bit constant unique to each chip baked into it at manufacture. The AES-key(s) are derived from this and the passcode. The constant (AFAIK) is physically read-only*, it cannot be overwritten. Unless there is persistent, writable storage outside the phone's flash, a flash emulator should work to defeat the retry limit as anything to be wiped would have to be in the flash which would be restored as needed (or possibly be read-only altogether). What I think is overwritten when the 10 try limit is hit is some more key material stored in the flash without which the AES-keys needed to decrypt the file system cannot be derived. Likewise the delay would be defeated (to some extent) by a reboot with the emulated flash restored, if the only place to keep a persistent copy of the retry counter is the flash.

*or strictly speaking not even quite that from software point of view: it can't be accessed directly, only fed to to the AES-hardware. Still, firmware can brute force the passcode as it can generate the AES keys for all passcodes and see what decrypts.

Re: Nope...

> 1) ... they'll almost certainly plug forever in the next release to avoid a repetition.

We'll see, as long as it is possible to do it with a special build of the firmware it would have to be the next hardware release though*. (Secure enclave doesn't apply to a 5c, but it doesn't really help since it too runs replaceable firmware - or that is my take from: http://blog.cryptographyengineering.com/2014/10/why-cant-apple-decrypt-your-iphone.html ).

* e.g. add a tamper-proof chip akin what is in a SIM to keep the encryption key which will only spit it out given the correct passcode (and unlike a SIM, will irrevocably erase its contents after those ten misses).

Re: Simple solution...

> ... if the flash memory were to be cloned ...

I was thinking along these lines myself, but it turns out that there is a unique per chip 256-bit number baked in the A6 chip (in an internal ROM section or somesuch on the silicon); this and the passcode are used to derive the encryption keys; since there is no external interface to access this* it cannot simply be copied / cloned to be used in a VM.

* even the firmware cannot read this directly, it can only have it fed to the AES hardware

> http://blog.cryptographyengineering.com/2014/10/why-cant-apple-decrypt-your-iphone.html

Thanks for the link! :)

The article explains why Apple can in fact decrypt an iPhone given physical access. A simplified version seems to be that the AES keys are ultimately derived from the passcode and a 256-bit unique per chip key (UID) baked in the core SoC (A6 in the case of a 5c) at the time of manufacture. The UID is not accessible to software as such, but can be fed to the AES hardware via an internal hardware path. This means that firmware could brute force the derived key(s) by going trough the passcodes using the AES hardware and seeing what decrypts. For simple/short keys at least this is quite feasible: using the 80 ms per iteration from the above article a 4 digit code space would be completely covered in 800 s.

The 5c / A6 does not have the 'secure enclave' so this is not a consideration for the case at hand, but since the code running there is also a part of the firmware provided by Apple this wouldn't seem to make a difference for the newer models (from 5s / A7 onward) with it. Also, apparently, the ten try limit and the increasing delay between tries are just firmware features.

Absolutely, give the man a beer. On a related note - as we now know that the snap has been taken within the Reg US offices - the chap on the left is surely our dear hack A. Orlowski?

Re: This is not just a UK problem

Fortunately the ECJ has found this invalid (http://curia.europa.eu/jcms/upload/docs/application/pdf/2014-04/cp140054en.pdf).

Re: Case should not be about hyperlinks at all

@AC

The 'cookie law' mandates user consent for persistent cookies. The cookie banners and such are ICO's (flawed) idea as to how obtain that consent. While all persistent cookies may not be tracking cookies, all tracking cookies need to be persistent to be useful, so ICO's guidance at the time could have been using session cookies only without freely* and actively given user consent (for persistent cookies). The result of this guidance would have been eliminating tracking cookies without consent (which I think was the 'cookie law' 's intent).

It seems that ICO could have issued the above guidance at the time. This would have been much more consistent with the 'cookie law' 's spirit as a privacy law, so I'd be inclined to blame ICO, rather than the law itself for the current mess. What the 'cookie law' 's authoritative interpretation is , though, will eventually be sorted out in the ECJ, the key issue being the question of user consent (where I think ICO has has made a particular mess of it).

*freely = consent can be given or *not*, that is, the site must work regardless

Re: These comments missing the point?

>Schrems case was not against Uncle Sam's processing of his private ...

Um, yes and no ... originally it was 'only'* about Facebook, but after the Snowden expose he added the Uncle Sam -angle to his complaint to the Irish DPA, which ultimately resulted in ECJ's rejection of Safe Harbour on this very basis.

* of course, the outcome could / would likely have wider implications, say, for Google

>Innovative = scammy. Kill with fire.

Indeed. It would be much better to have multiple (relatively) simple two-sided (buyer/seller) markets than complex multi-sided ones such as Google's or Facebook's advertising-targeted-by-snooping enabled by an emipre of interlocked, "free" services where the meaning (or even legality) of the consumer contract is unclear; that is, if the consumer is to sell bits and pieces of her privacy, then let those bits and the compensation for them to be precisely defined, for the latter this would seem to mean (a recurring) cash payment.

>If cookies originating outside the borders of Belgium...

It doesn't matter where the cookies originate. The issue is that by (EU wide) law setting cookies require user consent. (Strictly speaking this applies to persistent cookies only, session cookies do not require consent, AFAIK).

Re: What's the point of living?

>Piracy causes terrorism.

Good to know: until now I was under the impression that it merely caused Communism.

Re: Simple fix - Do what Australia did and ban them

>... they are rather easy to manufacture in the average kitchen.

With factory made components (propellant, primers, cases and bullets) and tools, as you say, rather easy; without them, however, rather hard if not practically impossible. Of these the hardest are probably the primers (for a want of a consistently stable yet sensitive enough compound to be reliably set off by the firing pin) and a propellant (powder) to produce a safe and consistent pressure curve (not that the mechanical precision of factory made bullets, cases and tools would be trivial). That is, while shooting supplies for a blunderbuss might be made in an average kitchen by a (rather) knowledgeable person, those for modern firearms are quite another matter.

>EUNIX?

EUNUX?

>Search is a contestable monopoly, ...

Um ... no, it is a case of a multi-sided market, which results in a incontestable monopoly* in practice.

*used colloquially: "dominant market position" would be a more accurate term (there is an apparent tendency of actual, real-life markets being too inefficient to result in a monopoly in a strict dictionary sense)

Re: Yeah, But,

I'd think that many of details of interpreting the law (the data protection directive and related) are yet to end up in the ECJ and before that we strictly speaking don't know what the authoritative interpretation is. In the meantime you could do worse than take a look at Max Schrems' take on some key issues:

http://www.europe-v-facebook.org/EN/Complaints/PRISM/Response/response.html

Re: And here I was on the way to the shops

A personal favorite on the side with this would be pickled diced pumpkin; I suppose the key is being pickled (tangy-vinegary) for a pleasing contrast with the meaty richness of the main fare.

Re: He's not making any sense

>He probably took a bribe. Get over it.

Having observed the morals* of admen over the years I can't help but to further suspect that this is a part of a prearranged meta-marketing campaign extolling the evils of ad-blocking ?

*the total absence thereof, actually

Re: "[..] it is not the law globally"

>Well over on our side of 'The Pond ...

I think that there is a misunderstanding of what is being asked of Google here. Having read the ECJ decision at the time my impression was that as long as the search results are available within the EU the 'right to be forgotten' applies; it is immaterial through which domain the the search was made as long as the user is in the EU. Hence it seems Google could comply by always forcing the redirect from google.com to an EU site or by applying the EU filter to results from google.com when it knows that the search originates from the EU (as it does as it forwards to a national site by default). Of course, Google could also comply by applying the EU filter everywhere, but this is not its only option.

However, if Google were to display search results on EU persons outside EU, there might be an issue of having exported personal information from the EU in the sense of the data protection directive; to qualify for the 'safe harbor' exception making such export legal Google has contractually committed to apply the key principles of the EU data protection law to the information thus exported.

Also, I don't think this is free speech issue in the sense of the US (Constitution as that only limits what the US (or a state) government can do to prevent such speech (and the US (or a state) government is not involved).

Re: The government can take stuff it thinks belongs to you if you've been convicted?

>If the domain is rented...

I suppose the government could sidestep the issue by paying the regular fees to the registrar for as long as they want to keep the domain out of circulation. This would be in line with no harm to the registrar - as with the court costs - due to finding them not liable. Actually, maybe the 'property' here is the right to the domain name under the same terms as with the original owner as opposed to a perpetual right to the domain name itself.

Re: I've Asked Before

>... google.co.uk and google.com?

If I got the gist of the ECJ ruling right, the domain name through which Google search is reached doesn't matter as long as the results are visible within the EU. I'm not sure Google can display the 'forgotten' results even when the search user is outside the EU as there might be an issue with exporting personal data from the EU; in order to qualify for the 'safe harbor' exception allowing such export Google is supposed to respect the key principles of the EU data protection regime.

Re: Google bashing

Indeed, richly deserved though - if only for their other misdeeds.

Ceterum censeo Google esse delendam.