* Posts by dan1980

2933 publicly visible posts • joined 5 Aug 2013

Australia to tax ALL international online purchases

dan1980

Ahem.

Fuckwits.

Some of them are greedy fuckwits. Some of them are corrupt fuckwits. Some of them are unscrupulous fuckwits. Some of them are lying fuckwits. Some of them are hypocritical fuckwits. Some of them are bigoted fuckwits. Some of them are thieving fuckwits. Some of them are scheming fuckwits. Some of them are out of touch fuckwits and some of them are just plain stupid fuckwits.

But fuckwits all.

NEW, LOVELY, UNTOUCHED - a second EARTH waiting across the stars

dan1980

"The ability to hack a vehicle is not easy. It took the two security researchers, Charlie Miller and Chris Valasek, months to tap into and control certain systems of Miller's SUV. They are experts."

Not quite correct.

The knowledge of how to design a hack for vehicles is not easy. (Well . . . ) However, all that is required for someone to have the ability to actually do it is that they have software to do so. We know that such software gets bought and sold freely and you might have someone selling the details of the vulnerability to someone else who develops the exploit who then sells that to someone else who develops the tools to deploy it.

The vulnerabilities may have been difficult to find and/or difficult to figure out how to exploit, but once that ground-work has been done, it's easy to repeat. In other words, it won't take 2 months to hack each Chrysler; it took 2 months to work out how to hack all Chryslers.

Cheaper broadband will slow NBN adoption, says Turnbull

dan1980

Re: Give the NBN to people that actually want it

"To try and argue that people would be happy to pay even more if the NBN was even faster (FTTH) is nonsense. Most people just do not have any need for faster broadband than they already have. That was Labor's folly that Turnbull inherited."

A couple of points.

First, some people would definitely pay more. Especially businesses who would love to get faster speeds that they are able to get currently but who are able to spend the money to have fibre installed directly. As an IT tech, I can assure you that there are companies out there from whom this would open up extra ways to do business and allow staff to work remotely - resulting in expansion into other locations.

Conversely, I have seen at least one company that closed a regional office because the person they had there to try and build a base relocated to Sydney due to the frustration of not being able to access company resources reliably.

Second, there is a false assumption - bordering on a straw-man argument - that the idea of the FTTP NBN was to be an efficient network that fills the needs that exist today. It wasn't - it was designed to be a network to cope with future needs. So the argument from people like Turnbull (and you) that people don't need more than is currently available is really an argument for not planning ahead when building essential infrastructure and only building what is necessary now.

Under the Turnbull & Aberglas school of infrastructure, one could now enjoy the wonderful historical site of Old Sydney Harbour Bridge - completed in 1930, this stately bridge's design was chosen in line with the government's policy of 'just enough' and won out over competing proposals that were deemed to be overkill. The final design scaled back the original plans for a 49m deck to a more sensible 28m deck, reducing the cost by approximately 20% and cutting building time by two years.

Why bother spending a bit more now for something that will last longer. Crazy idea.

dan1980

I really liked Malcolm Turnbull a whole lot more when he was in opposition.

There are two things to note here. The first is that the NBN is not providing enough of an improvement to speed and capabilities, due to the downgrading of the original plan.

The second is that it is amusing to see that the coalition doesn't actually seem to like it when their mantra comes true - that competition between private companies will provide better services, cheaper, than public-owned assets.

It is really funny to see a Turnbull complain that the private sector is going to provide better solutions for consumers than the public sector and lobby to have it regulated!

I'd laugh more but, whatever happens, we lose because it's our money paying for this second-rate solution in the first place so not only do we have to foot the bill for something that's sub-par, they want to penalise people for choosing another option!

Hark, the Hacking Team angels sing, it’s not us who’ve actually sinned

dan1980

Re: Mega Winge

Well, the choice of unit really depends on what is being measured - is it the hand-wringing and pleading and bullshit PR damage control or is it the scale of the offence that has been discovered?

On the second measure, this one rates quite high, to the point where calling it a 'Rabe' would perhaps be unwieldy as nearly everything must be expressed as a fraction of the whole unit - much like a Farad being rather too large for everyday usage.

Thus, Facebook's frequent land-grabs of personal content would rate about 50 millirabes, it being something people are largely entering into of their own volition. Perhaps a 'Schmidt', in honour of how much data Google hoovers up about everyone - even when you have told them to stop.

In terms of the former metric - the 'PR' response - the 'Rabe' might be a good measure but I think a 'Zuckerberg' may well be a good option as they are very much used to explaining things as just a 'misunderstanding' - nothing dodgy is going on, really.

So, I would estimate that Hacking Team is currently at about 20 kSt (kiloschmidts) and 5 Zb - rounding for simplicity.

But this is cumbersome; what's needed is a measurement to represent the level of farce.

Utilising our units, above, we can propose the Whisper, which represents the amount of straining of public belief that results from a breach of 1 St, being forcefully decelerated through a PR filter of 1 Zb.

Thus, Hacking Team are current outputting an estimated 100 kWsp.

At that level, the bullshit is visible from the moon on a clear day below and with a cheap pair of binoculars.

dan1980
Meh

Reading this man's words, it takes a supreme effort not to vomit.

So, their software is not a 'weapon'. Okay, let's run with that for a moment.

The thing about 'weapons', is that they are usually at least somewhat obvious. If you supply a nation's police force with sidearms then, when they use them, it's known. You can't deny that your officers don't have guns because anyone seeing them on the street will be able to look at their hips and see the weapon.

If they draw the weapon, you know about it and if they use it against someone, that, too is generally known.

So let's compare that to the 'tools' supplied by Hacking Team.

In complete contrast with 'weapons', these 'tools' are supplied confidentially, without the knowledge of the people. Their existence is not admitted and is not readily able to be discerned. Moreover, when these 'tools' are used, they are used silently and secretly, hidden from the people they are used against.

So, fine -let's agree that the 'tools' developed and sold by Hacking Team are not 'weapons'. I am comfortable with that.

So let's now investigate the nature of these 'tools'.

The best analogy I can think of at the moment is to imagine (not very hard at the moment) a flaw in the software of cars that caused the brakes to be applied when the pedal was not pressed. Now imagine that that flaw was found by someone like Hacking Team and methods to exploit it were developed and then sold to law enforcement agencies, who were very keen to get their hands on some 'tools' to help them stop police chases.

To them, these 'tools' were, of course, 'necessary' and were justified because they 'helped save lives' and preventing access to these important 'crime-fighting tools' would only result in more danger to officers and reduce the safety of the public.

But here's the rub - even if we truly believe that these 'tools' were only sold to the most ethically upstanding institutions who, in turn, only used them in the most ethically justified situations and only after the most rigorous scrutiny and vetting and approval, the tools being used are not the whole pictures.

Why? Because they only work by exploiting vulnerabilities and those vulnerabilities exist however careful you are with the dissemination of those exploits and however ethical you are in their application. They are there, and their existence is a risk for anyone making use of the software - in the case of our analogy, to anyone driving one of the cars affected.

So, imagine that this vulnerability in the braking software causes so random issue where a car suddenly brakes, in heavy traffic on a freeway, causing a pile-up of a dozen or so cars, resulting in great delays for huge numbers of people, many injuries and a few deaths.

The software developed to exploit the vulnerability in that software is not the cause - the underlying vulnerability is. But to to know about this vulnerability - and not only that but to have researched it and tested it and understood it enough to know exactly how it might be triggered - but to not tell the manufacturer? I don't understand how that can fit any definition of ethical.

And to then bleat on about how what you are doing is necessary to protect people? Well, that is just an astonishing level of self-delusion at best or, more probably, outright lying.

But that is, again, assuming that they really do sell only to ethical institutions and their software really is only used for ethically-justified purposes in an ethically-guided fashion.

And that is something that, frankly, I doubt even they believe.

STARS SNUFFED in massive galactic whodunit

dan1980

Re: @Mr Pott

Note that I did specifically talk about galaxy rotation and not any of the other ways that (non-baryonic) dark matter is nearly required.

dan1980

Re: @Mr Pott

Dark matter is stuff we can't detect directly but that is inferred when we mate current theories with observations.

The simple fact is that dark matter doesn't have to exist for galaxies to rotate the way they do and not tear themselves apart. There are other ways this could work - specifically that our laws and theories describing gravity are not accurate.

Essentially, the reason dark matter is 'needed' is because people are relying on their existing theories of gravity being accurate enough (and we know they are only an approximation) that they can be assumed to hold.

That said, the theories being relied on have been tested time and again and hold wherever they are applied. 'Dark matter' might seem like a huge leap in terms of lavishly proposing extra matter all around the place but it is significantly less of a leap than messing with gravity to explain it.

In terms of what this actually is, it is certain that planets and brown dwarfs and black holes and neutron stars and various other objects we can't directly observe - at least not reliably - are part of the large lump or stuff frequently termed 'dark matter'. This stuff is called 'baryonic dark matter', which translates to: normal stuff that we just can't really see. Specifically, it is stuff made up of protons and neutrons. Electrons are obviously a part of atoms and thus a part of this 'ordinary' dark matter but they are so monumentally out-weighed by their baryonic counterparts that they don't really need to be mentioned.

HOWEVER, even though we can't directly see this type of matter, there are other ways to detect much of it as well as theories and calculations that can be done that impose some kind of upper-limit and the important point is that whatever other objects are put forward as 'dark matter', there still isn't enough to account for observations - when computed with gravity as it is 'understood' currently.

That is where the concept of 'non-baryonic' dark matter comes in.

Once Neutrinos were found to have mass, it was possible that they were the culprits but other measurements and analyses of the structure of the universe strongly suggest that they can't be it alone, though they would certainly form some small component.

In the end, every more 'normal' candidate for the identity of dark matter has been found wanting because if they were responsible, it would mean that those objects are not really what we think they are - as it is would be if neutrinos were found to be the missing matter.

Likewise, dark energy is what we call the unknown stuff that we posit to fill the gap between what we can observe and what we currently know about physics. It is required if we trust our observations and our current theories and both those are on rather solid ground.

Dark matter and dark energy are kind of like the Higgs boson/mechanism.

They are only required if you want to keep your current theories and so some lay-people make out that they are just band-aids, slapped on to make it all work out neatly.

This is a great disservice to the scientists involved and implies that they just don't want to go back and re-think their pet theories. The problem with that notion is that they have rethought those theories. They have theorised and calculated and proposed and experimented and observed and repeated it all numerous times. And the theories work.

However hard it may be to believe concepts of 'dark' matter and energy dominating the universe, it should be understood that if you want to explain the universe without these components then the theories that would have to be thrown out or substantially re-worked to do so are so well supported that that act would be a far greater leap.

In other words, strange, invisible, exotic stuff is actually the most plausible option.

Beaten blokes hate the women who frag them in online games

dan1980

Here's a guide . . .

  • Step one: don't be a tool.
  • Step two: have fun.
Step two is optional; step one isn't.

dan1980

The study was designed to test two hypotheses of sexist behaviour: the first, that sexist behaviour is designed to drive women away from a “male-dominated arena”; the second, that “sexist behaviour is in response to a threat to a male's position in the hierarchy”.

The researchers conclude: “By demonstrating that female-directed hostility primarily originates from low-status, poorer-performing males, our results suggest that a way to counter it may be through teaching young males that losing to the opposite sex is not socially debilitating.”

Okay, so can we then draw the negative conclusion about the first hypothesis?

I.e. that this study concludes that, contrary to what is forced down our throats, male gamers are not actually trying to "drive women away from [gaming]".

If we could get rid of that nugget of received wisdom then I think we would all be a lot happier.

dan1980

Re: Normal behavour

Patent that!

What goes up, Musk comedown: Falcon rocket failed to strut its stuff

dan1980

Re: In-House is always better, it seems...

Making steel in house?

Probably not. You'd still need to test the resultant components to avoid the same issues so if you're thorough in that aspect I can't see much gain in safety from bringing it all in house.

North Korea's Red Star Linux inserts sneaky serial content tracker

dan1980

@Trevor

Sobbing is a bit much but I suppose my own country has broken my heart so many times (and increasingly frequently of late) that I end up receiving each new blow with slightly less flinching than the last.

Which is of course just the way our overlords want it.

Most telling is that I didn't really need to specify which country.

dan1980

Phew.

Glad I don't live in a country that thinks that spying on its own people is okay . . .

Marshall wants to turn your phone UP TO ELEVEN

dan1980

FLAC. Cool. That'll be, what - 50 albums?

Hacking Team hackers questioned over Hacking Team hack

dan1980

So they had an existing security situation? Did they increase their security to try and head off that risk?

Evidently not.

Having been slammed and embarrassed, ICANN tells the world: We've done nowt wrong

dan1980

FIFA also asserted they did nothing wrong and resisted oversight and transparency.

You care about TIN? Why the Open Compute Project is irrelevant

dan1980

@Alan Brown

That's just it - for your load, which you know intimately, you can do it cheaper yourself with an architecture designed specifically for it.

What these large cloud players are great for is situations where the demand is elastic.

That's why they have had some great stories about research projects (e.g. running models and simulations) managing to run their workload in hours when it would take their in-house systems days or weeks (or longer) to complete.

To spec their in-house systems to speedily handle the largest job is just not feasible as 99% of the time it will be vastly under-utilised.

But if your load is relatively well-known and relatively constant - or at least predictably expanding - then an in-house system may well be better for you.

The important point is that an 'elastic' system provides its benefit not just in being able to stretch to accommodate large loads but also in being able to shrink again, once those tasks/situation have ended and the workload returns to normal.

These cloud services allow you to ensure that you always have the resources you need to run your tasks, however large the get and however quickly they change. And it's fantastic, but if that's not something you need then it's not necessarily going to be the best option for you.

dan1980

Re: Quality does not seem to be a metric of consideration.

@Jim Mitchell

EXACTLY.

In small, single-rack deployments, you might replace a drive a couple of times a year and a server maybe once a year.

At that scale, hardware reliability does make a difference because, even a 'cheap' server is still some significant fraction of the total cost and you are likely to want it fixed or replaced by the manufacturer.

One server is also a significant fraction of your computing power so having it out of commission is not ideal.

Scale up enough and hardware failures on a server (whatever component) become a daily issue and as a result it is far simpler to just pull the server and replace it with a working one and then give the failed server to the appropriate team, who will assess it and either replace the faulty component and put it back into the spare pool or scrap it.

Once you are at that scale, a failed server or 10 is just not significant anymore - it won't noticeable decrease your available compute power so the fact that it has failed doesn't impact you in any serious way. Provided, of course, the software layer is designed to handle it.

If it is, you can take your time to remove the failed server and replace it, rather than pulling an all-nighter at the data-centre building a new one and swapping it in.

There are configurations in-between the two extremes, of course, and the question becomes one of figuring out at which point certain configurations and paradigms become more efficient. The tricky part is that there is no fixed answer and it must be assessed based on all the factors and with a detailed knowledge of the workloads you are running and plan to run.

The difficulty in hitting the 'sweet spot' is certainly one reason why 'cloud' can make a lot of sense - after all, the time and money it takes to figure this all out and optimise it is one of the factors! If it costs you a million dollars of staffing and testing and hardware and software to figure out an optimal solution that saves $100K a year, it's not necessarily worth it!

As someone said above, a known load is often cheap to do yourself. The simple reason is that the 'elasticity' that is so great in the big clouds is part of the cost.

dan1980

This message brought to you by your friendly local 'cloud' evangelist . . .

Not that he's wrong when he says that there's no way you can build and run and maintain a datacentre as cheaply as Microsoft or Google or Amazon. Of course you can't.

But the implication - that you can't deploy your workloads as cheaply in your own datacentre as you could by using Microsoft or Google or Amazon's public cloud is a little less cut-and-dry. Why? Because workloads vary. Simple as that.

It's also true that the requirements surrounding those workloads vary and this adds to the murkiness.

On one hand, you can argue that many looking to run their own data centres don't really understand the costs of doing it properly but on the other, you can also argue that many looking to host their applications on a public cloud don't understand the costs associated with doing that properly either!

Neil Young yanks music from streaming services: 'Worst audio in history'

dan1980

Re: Digital quality

@AC

"For background music, few people could tell the difference between CD and 128kbps MP3. At 320kbps MP3, you'll be struggling even on a hifi system."

Depends on what you mean by 'background', I suppose. Do you mean background style music or music that is just on in the background, while you are chatting to friends or dusting the bookcase?

I have a lot of music ripped as 192kbps MP3s for my portable player and almost all of it also ripped as FLACs for my home system. I can tell the difference between the two quite readily even when listening to them in MONO, using a single standard earbud through the integrated sound on my PC - bog standard Realtek job.

Between 320kbps and FLACs I am not sure I could quite so easily.

That said, unless you really know what to listen for and are quite familiar with the piece playing, you do need to hear the two copies one after the other to notice it most of the time.

I don't really know how to describe the improvement except to say that there is better clarity - especially in the top-end. It is like the difference between listening to speakers that have the tweeters around waist-high (on a shelf, say) and then repositioning yourself so they are at ear-height.

I think most people could hear the difference between a standard iTunes download and an uncompressed FLAC through even a modest system if they listened 'side-by-side'.

dan1980

"Can hear the difference in the high res tracks... but i do listen through professional studio level reference monitors."

The difference between what and what? Between crappy streaming and uncompressed or between standard CD-quality and 24/96?

New Horizons: We've got a pretty pic of Pluto. Now let's get our SCIENCE on

dan1980
Happy

@P.Lee

Ha!

dan1980

Re: American exceptionalism?

Well, large team of clever and dedicated individuals across several decades have achieved these feats.

But remember that, while everyone working at NASA is required to be a US citizen, not all of them were born in the US. In addition, NASA doesn't build - or even operate - all the vehicles and probes by themselves and make use of numerous contract organisations, where there will indeed be foreign nationals working.

Also, they are of course building on scientific work from numerous people of many different nationalities.

Not that this isn't very impressive indeed and not that we shouldn't be thankful for the US ponying up the cash to make this happen.

It is exceptional indeed, but it certainly wasn't achieved in some kind of isolation from the rest of the world.

dan1980

$700m is not pocket change.

Well, unless you are the US military, in which case you could launch 21 New Horizons missions* each year and STILL be spending more on defence than the next NINE countries PUT TOGETHER.

I'm not saying that defence is not a worthy area of spending, but when you are out-spending the next nearest nation by a factor of 3-4 then you can probably slice off a little and still be an effective force.

And not that NASA doesn't get a good amount of money either, but when they have to pull out of or delay well-researched, well-planned, scientifically-sound operations due to lack of funds, while money gets poured down the F-35 black hole, well, you can't help but feel that priorities and accountability are messed up.

* - Though the work done would mean subsequent missions would be cheaper, of course, we'll use 21 x $700m.

Reddit CEO U-turn: Site no longer a bastion of free speech – and stop posting so much hate

dan1980

I am not a big fan of Reddit - to be honest I don't use it, nor do I really understand or give much thought to it.

But, it's a site that, while it was created and developed by a certain group of people, it has been built by the community - by their participation and links and their content.

Thus it will always be tricky to try and exert too much control over it. You can do it, of course, but to maintain the site and keep the contributors and visitors happy requires a delicate balance.

What they need to do is create a clear code of conduct and terms of use and then stick to them. If that results in people jumping ship then that's what happens. If they want to prevent certain types of discussions from being on the site then that's their prerogative, but that's not without consequences.

If it was me, I would simply leave it that illegal content is not allowed but any discussion may be had in a user-created sub-reddit. Simple. The guide for users and visitors is obvious: you can create a section to discuss whatever you want, however you want and can ban users from contributing if you like. But you do not get to complain about what someone else says in their own area, no matter how 'reprehensible' you consider it.

If reddit are not going to allow unfettered (legal) free speech then they should provide clear instructions on exactly what is allowed and what is not. They don't have to do that, of course, but if they start taking down things based on their own discretion then soon enough people will stop posting controversial topics and will go elsewhere to do so.

If that's what they want then fine, but they need to be clear about it.

Twitter shares soar after buyout story appears on bogus Bloomberg site

dan1980

Much trading is now done at very high speed, to capitalise on changes in the market. It's not about buying some shares and watching the company grow, it's about developing the most effective algorithms and getting information to feed into them the quickest.

It's a bit of an arms race and what you can see is when there is some spike, other algorithms will kick in to buy stock that is trending up quickly - the assumption (by the algorithm's creators) being that there is some good news in the market driving that.

So, not all the people forcing that price up necessarily had the news in question.

That said, there are services that will scour everything and publish it so some who did see this news didn't necessarily see it from the bloomberg.markets website. Traders also forward stories to each other so it all gets around.

AND, the point is that it really doesn't matter if the story was fake or not - to the big traders. What matters is that there were two changes in th share price, both of which could be capitalised on if one has the right algorithms and gets the information quickly enough - there are plenty of those who would have sold it higher than they bought it an earned a tidy gain.

Longer-term investors would have been unaffected as the price corrected so it's really only the high-speed traders who weren't quite speedy enough or whose algorithms were set differently who would have been negatively affected.

Hacking Team: We’ll be back in the spyware biz before you know it

dan1980

Re: lol

When your business strategy is to sell tools that allow organisations to illegally access the computers and data of other organisations and individuals, it does prompt the question of exactly what qualifies as "ethical" behaviour.

dan1980

Understood.

It was our mutual understanding that this buyer maintained the same code of ethics as our own. Unfortunately we were very, very wrong," it said.

Your understanding?

Based on what information? How carefully did you vet them? Did you demand, in the contract of sale, that products developed with the provided information about the vulnerability would only be provided to governments approved by you? Presumably you specify that your clients can't provide the product or reveal the vulnerabilities to the developers of the software you are exploiting so one assumes you have crossed a few 'T's and dotted a few 'I's. Strange then that the criteria to not provide the product to repressive regimes is absent. Or maybe it's not that strange.

And what is you "code of ethics", exactly?

If it is that you don't provide your services and products to certain clients, what is the restriction. We know that you previously only sold to "US clients" but, beyond that, what was your criteria? Did you sell to any US clients? On the basis, perhaps, that they are all trustworthy and would never do anything that violated you "code of ethics"?

So what is it that you consider to be ethical conduct?

I mean, let's not beat around the bush here - your company actively researches vulnerabilities in software and, rather than informing the developers of that software - which would increase security for everyone - you keep it secret and develop code to exploit those vulnerabilities for the express purpose of gaining access to another person's private property and accessing their private data. You then sell that capability to other people - people whose motives and business practices you evidently don't investigate and vet sufficiently.

You sell tools that allow one party to spy on another. What does a company have to do to be considered to operate outside of this code of ethics of yours? What the hell do you think they are doing with your products?

But, let's assume that you really did have the best of intentions and truly did believe that 'Hacking Team' were your brothers from another mother. It's great that you've now decided to no longer sell to them (again, taking you at your word) but what measures will you put in place in the future to ensure that the vulnerabilities you discover and the exploits you create won't be used by or on-sold to unethical organisations/states?

Which organisations and states will make that list, hmmm?

Brandis' metadata retention recipe doesn't prohibit USB drives stored in a garden shed

dan1980

Ahhh yes - let's pass wide-reaching laws now and work out the "finer details" later.

That seems the proper and sensible way to treat the privacy of the entire country. Never mind that some of those "finer details" are exactly the sort of things that tech and privacy experts - as well as ordinary citizens - have been so concerned about.

You know - security of the data and regulations for its access and transmission and other trivialities like that.

Just start collecting - we'll figure the rest out next week or something.

'Save the teachers!' 184 cryptologists send Oz Govt cleartext petition

dan1980

Re: compelling argument?

@Yes me.

Really? No, the US don't really want partners in that way. They want to co-opt other countries to:

1. - Spy on US citizens for them to get around what few, weak protections they still have.

2. - Spy on other nations based on geographic location.

They want everyone else to be an arm of the NSA, helping them to extend their scope. I don't think they really want them to have technological capabilities rivaling that of themselves but instead to be provided with the tools and systems at their (the NSA's) discretion in order to further the NSA's goals.

That's speculation, of course, but if Australia is developing independent capabilities that the NSA does not already have then surely they would consider that dangerous.

dan1980

"The group says unhindered research and education into cryptography serves the Australian public . . ."

And this is supposed to be a compelling argument?

It is for me and it should be for politicians too but if anyone still thinks this is what they care about, then that is some impressive naivety.

Hacking Team: We're the good guys, but SO misunderstood. Like Batman

dan1980

Y'know Trevor, there are times when I wonder whether you're actually my evil twin - me without my rage-to-keyboard filter.

dan1980

You know all those people at risk because of this leak?

Guess what? They were always at risk.

Their line appears to be that they are the 'good guys' and that the 'good guys' should be allowed to hoard such vulnerabilities and exploits and then sell them to other 'good guys' so they can use them to do 'good things', but if 'bad guys' get their hands on it then they will use them to do 'bad things' and that will be bad.

Now, I agree whole-heartedly with the second half: if malicious actors get their hands on these vulnerabilities then bad things will indeed happen and have happened. But surely that implies that you have a responsibility to protect this information and ENSURE that it doesn't fall into the wrong hands.

I appreciate that preventing well-funded, technologically-capable and determined attacks is very difficult (and expensive) but this software is sold to Governments!!! If that's the level your are operating at then you HAVE to expect that there will be attacks that will be VERY well-funded - possibly even from other states.

So it's no excuse to say that the attackers had "considerable funds" with one breath and then with another say just how dangerous the people are ('terrorists!') who are now making use of this and how much harm this will cause.

You (Hacking Team) are admitting that the data you were hoarding was very dangerous and desirable to criminal and terrorist organisation and 'bad' countries/governments but yet evidently did not secure it against these threats.

That is negligence; you actively pursued information that puts everyone at risk and, rather than help protect them from that risk, you exploited it to make money.

The line that you "do not trade in weapons" is irrelevant. You trade in something that, by your own admission, would create an "extremely dangerous situation" and a "major threat" if it got into the 'wrong' hands. Thus, just like people who deal with "weapons", you have a responsibility to prevent this dangerous product from being accessed by those wrong hands.

But you didn't, and so information you have hoarded and the tools you have created to exploit it are being used by exactly those people.

Of course, this is all taking their rhetoric - that they are the 'good guys' and only sell to ethical "governments and government agencies" - at face value, which is something that I still find not good enough.

dan1980

@AC

. . . and F-15s?

I cannae dae it, cap'n! Why I had to quit the madness of frontline IT

dan1980

Re: IT is not just another cost-centre

Step 1 - Management asks IT to ensure systems are secure.

Step 2 - IT presents researched, costed solution to Managment.

Step 3 - Management requests system to be provide 40% cheaper.

Step 4 - 40% less-effective/resourced solution put in place.

Step 5 - Everything run perfectly in perpetuity - yay management!

Oh, wait . . .

Yes, management often have 'other priorities' but actually it's really just one: do more with less. That's great, from a business perspective, but sometimes more takes more. Or at least can't be done with less. Some things in IT absolutely can but security is not somewhere you can cut too many corners and security of a massive and very sensitive collection of data is certainly not somewhere you can afford to skimp.

Great that 'management' has other priorities but if security of sensitive data is not a high priority then their priorities are wrong. It's not: "hey, let's replace all out SANs with new flash-only arrays" or "hey, let's give everyone iPads" or "hey, let's upgrade the helpdesk ticketing system to make life easier for our staff".

dan1980

Re: I also agree, but...

Hear that Trevor? It's your responsibility. Glad I'm not you, mate.

Isn't this the 'Sysadmin Blog'? (And, if so, isn't 'whining to the choir' one of the main reasons to have a 'blog?)

dan1980

Re: I also agree, but...

The idea that the people being thorough, accurate and honest are the 'problem' is perverse.

The problem is with the 'management types' not understanding how IT is not just another cost-centre and can't be treated the same way they treat the other areas of the business.

Perhaps more IT people should learn to speak 'management' more fluently but it is, again, perverse that this gets so turned-around that it becomes IT's responsibility to understand management rather than management's responsibility to understand the operation of the component parts of the organisation they are supposed to be leading and guiding.

Of course, in any situation you have to evaluate what it is that you can do to achieve the results you need, but that does not effect the kind of systemic change that is needed.

PLUTO SPACE WHALE starts to give up its secrets

dan1980

Re: Call me simple

As are most of the moons out there. As are basketballs.

IBM GATE-CRASHES chip world, boldly exclaims: 'We've cracked the 7nm barrier'

dan1980

Perhaps just me but when I saw SiGe/Silicon-Germanium, I got the urge to put both my Fulltone '70 BC-108C Silicon Fuzz and Hartman Vintage Germanium Fuzz back on my board and see if I could get my amp to go into meltdown.

Maybe I'll add my Black Arts Pharaoh and LSTR to the mix and see if it starts raining frogs. But then my Blackout Effectors Musket would feel left out. I'll be a bit worried for my brother but I'm a middle child - I'll be alright.

Sorry - what was this article about again?

US govt now says 21.5 million people exposed by OPM hack – here's what you need to know

dan1980

"Certainly, during the Cold War nobody would have thought of OPM as a target for identity theft or espionage," said National Security Council cybersecurity coordinator Michael Daniel during a press conference call on Thursday. "Just the nature of paper files and the way that we thought about information didn't lend itself to that."

No. Shit.

And THIS - this right here - is the problem with equating the mass collection of data with anything that has preceded it. Metadata collection is not equivalent to hiring someone to look at addresses on an envelope. CCTV cameras everywhere, hooked up to huge banks of storage and monitored by advanced facial-recognition software is not the same as having an undercover police officer surveil a suspect. And requiring encryption that can be broken by a third party is not the same as being able to enter a house with a warrant.

Physical files take a certain amount of time and effort to steal, and that increases as the volume of the haul increases. Likewise, trailing a person to find out where they go takes resources and this limits how many people can be so monitored and for how long. Same with search a house - warrant or not - it takes people and planning and time.

The fact that the 'traditional' way of getting at this information is labour-intensive and, therefore, costly means that law enforcement agencies have to prioritise their resources and results, generally, in having to make a case for assigning those resources to specified targets.

The current situation, where data on everybody can be slurped without any extra effort, is the essential evil because it makes something that should be exceptional into something that becomes viewed as common-place.

Glad at least someone in one of our governments has begun to glimpse the hazy outlines of this truth.

Crap crypto crackdown coming as FBI boss testifies to US Congress

dan1980

@tom dial

What you are saying - in your first paragraph - is largely the line that politicians want us to swallow. It sounds reasonable enough but it completely paves over all the ways data on Internet-connected servers, or traversing the Internet* is different from the more conventional targets of 'search and seizure'.

The fact is that modern technology and storage and communication changes the situation in ways that would have been not only unimaginable but unintelligible to the people and lawmakers at the time of the Constitution, with Volta's crucial work not occurring until 10 years after the relevant 'safegaurd' Amendments, and not a single one of the signers lived to see a working electrical telegraph system, with Madison missing it's invention by two years and it's use by 20.

But even in the late 19th century, with fast, cheap, long-distance communication a practical reality, the concept of MASS transmission of all kinds of information - of photos, of music, of entire libraries, of banking data of all kinds, telemetry of vehicles - was well over a century away.

Could those who devised the Fourth Amendment really conceive of a device that could store every piece of information about you and every communication and that could not only store that information but catalogue it, index it, search it, cross-reference it, copy it and display it, and could do so taking up no more space than satchel?

Mass, effortless and instantaneous creation, transmission and storage of information changes things fundamentally - to a point where the old concepts and standards and laws are not suitable for dealing with this vastly different world we now inhabit.

Or any link that is not completely private and secured, physically.

dan1980

"Maybe it's too hard, but this country wasn't made up of people who said 'It can't be done'."

No, you're quite correct director: the US wasn't made by people who said "it can't be done".

It was, however, 'made' by people who refused to surrender their rights to a government that took and took. It was made by people who resolved to give up their safety and security to fight for their freedom. It was made by people who would rather lay down their lives than their liberties.

On which side of that struggle would you be standing? How would you treat Samuel Adams and the other Sons of Liberty, rebelling against the practices of an oppressive government? How the British would have loved to monitor all their communications, expose their meeting places, unravel their plans and identify and capture their members.

Or was it a different country you were thinking of?

dan1980

Next up on the senate ticket . . .

. . . a robust debate to determine exactly how much funding should be assigned to the important task of squaring the circle*.

That said, we are talking about someone from a state where the watermelon is the official vegetable.

Apparently, the sponsor of that bill (one Senator Barrington) declared that, while the watermelon was indeed a fruit, it was "also a vegetable because it's a member of the cucumber family". He was apparently unaware or unconcerned that the cucumber is indeed a fruit too and only really (informally) classed as a vegetable because it is savoury, like the eggplant (which is also, of course, a fruit).

While this is all very amusing, it seems irrelevant until you get to the good quote:

"The controversy on whether watermelon is a fruit or vegetable has been officially decided by the Oklahoma legislature."

Okay, so it may have been a bit tongue-in-cheek and designed to garner publicity for the state's watermelon growers but the idea that an act of government can trump an independent, botanical fact is, I feel, somewhat relevant to the issue at hand.

The truth is that the watermelon's status as a fruit or vegetable is not a controversy, any more than the the earth's age is. Those who know what they're talking about are pretty clear on the matter, just as security professionals are pretty clear on this issue.

The troubling (though hardly novel) take-away is that our collective politicians seem to believe that independent experts' advice and experience and even the facts they explain should be considered secondary to their own uninformed intuition and lay-person opinions and beliefs.

D'you know what?

Let's assert, by government fiat, that 0.9999.... is in fact not equal to 1. That'll solve that 'controversy' too.

* - Hmmm . . . while checking if the correct term was 'squaring a circle' or 'squaring the circle', I found that they would be beated to the glorious punch, anyway: Indiana Pi Bill.

Security gurus deliver coup de grace to US govt's encryption backdoor demands

dan1980

Re: Chasing criminals or controlling the populace?

To be honest, I do believe that monitoring the population, the companies, the corporations, the clubs, the civil servants and the media are what much of this is aimed at.

My point is that constructing an argument along those lines will never work. Trying to change the government's mind by reasoning that they are corrupt and lying to the people is a little illogical. It's not as though a group of people who are corrupt and out to promote corporate interests over public or who are looking to create a fascist state are going to put the hands up - mea culpa - and back away.

The argument must be won on other grounds. And, the fact is that some of these people really do believe they are doing good and they must be convinced that they are wrong.

And, again, all of that is somewhat superficial. The point is that, as citizens - the very thing that makes up the country - we should not ever be blinded by an argument that such and such a measure will make us 'safer', or that our liberties are not really that important.

That's how this battle is being won - not by going against the wishes of the public but by convincing the public that what is being done is actually in their best interests. That any appreciable percentage of the population not only accept the idea that it is okay to trade almost all privacy for a sliver of security but believe that it is a sensible and reasonable exchange is, frankly, alarming and depressing in equal measure.

People seem to be so busy arguing whether we are being lied to or not, and what the real goals are that we risk losing sight of the fact that even if everyone is found above reproach and every measure above board and every benefit beyond expectations, what we are being asked to give up is too important; too precious; too hard-won, to be sold.

Even if the beans do turn out to be magic.

dan1980

Re: Is this a good analogy?

Expanding (really???!?) on my points above, we can investigate the methods of providing access to law enforcement.

Our first method - requiring people to provide the codes - means that they must be registered and licensed. 'Normal people' (who apparently aren't the target for any of this) will either be restricted from using encryption or simply won't bother with the hassle and so won't use it. Either way, the result is the same - people are less secure.

The second method - a 'master' code - allows everyone to use encryption but it is a much bigger risk as having just one code compromised would instantly make HUGE numbers of people and businesses vulnerable.

In practice, the second method is largely the same - if the 'back door' to one algorithm was discovered, anyone using one would be vulnerable.

Realistically, the first method is only feasible if access to the technology (safes in our analogy; encryption in the proposal) is strictly controlled such that being found to use encryption when not authorised would be a criminal offence. This of course results in ordinary people being less secure from people who do mean to steal their valuables/data.

So, it must be the second/third method - small number of access methods that work on vast swathes of instances or one master key.

That said, one would expect that, while access to encryption wouldn't be restricted, you would be stuck with just a few 'approved' choices, the keys for which were known to the government. Any 'rogue' encryption algorithms would be illegal.

And that is the likely world of their dreams - everyone using one or two encryption algorithms/implementations that the government can decrypt en masse and at will. Which them prompts the question of what happens when (not if) the method of decryption is compromised - either by foreign agencies or malicious actors? How do you keep everyone secure? You have to create new algorithms or new implementations - and that takes time, during which all communications, all downloads, all bank transactions - everything encrypted - is vulnerable to interception, corruption, alteration and theft by any number of people and groups.

There is just no way that this proposal is anything other than a crazy nightmare cooked up by people who either truly don't understand the implications to simply don't give a fuck.

dan1980

Re: Is this a good analogy?

". . . an impossible to enter house is essentially impossible to build . . ."

And this is why justifying such measures by way of analogy is misleading. There's the same argument about metadata being "the name and address on the envelope, not the contents of the letter".

Analogies are fine for understanding non-critical concepts - they give you a way to explain/understand something that is difficult to grasp directly. I do this daily in my discussions of IT with non-technical people and that's works well.

But, to explain important issues that contain complex nuances with wide-ranging consequences that will affect vast numbers of people and companies in diverse fields in myriad technical, logistical, developmental, financial and legal ways, well, 'think of encryption like a house' just doesn't cut it.

If it must be compared to some more familiar, physical object, compare it instead to a combination safe. This has and instant benefit over a comparison with a house door in that a (proper) safe is designed explicitly to prevent it being forced open by unskilled people, whereas a standard house door is really only designed to keep out casual intrusion and cold breezes.

Now, there are many such safes and some are stronger than others with varying levels of complexity and combinations. Safes are, as can be implied, a safe place to store things - not just money but information, passports, personal memories like photos - whatever it is you want to keep, well, safe. And not just safe from thieves but private as well. Perhaps you have correspondences and keepsakes from an ex-lover that are still dear to you but that you don't want your current partner to see. Or cigarettes or a bottle of nice whisky that you don't want someone else to pilfer or find out you've been smoking/drinking.

And, of course, companies have safes too - usually for money (or equivalent) but also for things like backup drives that they don't want lying around or for copies of the company ledger.

The encryption algorithm/method is, in this instance, the workings of the safe locking mechanism and an encryption key is the code you put in to unlock it. With this analogy, what the government is asking for is for EVERY safe to be able to be opened by law enforcement, without having to actually ask the owner for the combination.

Think what that means for a moment . . .

For a start, we have to come up with a mechanism for this unlocking to occur. There are three main ones that are available.

First, one can require that everyone who owns a safe must provide the government with the combination. This pretty much requires that you couldn't just go out and buy a safe - you would have to apply for a license to own a safe and register it with the government. You would then be required to update the government every time you changed the combination on the safe. Otherwise, a criminal could simply go and buy a safe and just not tell the government.

Second, one can require that all safes have a second, fixed, code that is specified by the government or supplied to them by the manufacturer. You could have one code per maker or per model*.

Last, we can require that all safes have a 'backdoor' - a mechanism of opening them without knowing the combination.

Some may realise that this last options is what most actual safes do, in fact have and the knowledge and ability to 'break in' to them is closely guarded and only provided to approved, accredited locksmiths. There are caveats, however, such as the technique being specific to each model and some of those are destructive, requiring drilling in precise locations, usually using templates. There is also the fact that no safe is actually required to have such a procedure and all such procedures take experts with specialised knowledge and non-trivial amount of time (and hour or more, usually) and generally it's pretty obvious what's going on.

But even then, with all that comparison, there are still CRITICAL points of difference, such as safes requiring individual attention of an on-site person. I.e. it is not feasible to 'break into' many safes simultaneously or to break into one remotely and usually not without someone knowing you're doing it or have done it.

And this is where any analogy falls down, because none of them come close to either the breadth of access that 'crackable' encryption would allow or the ease of an 'authorised' person doing so or the scope of how many people could be affected simultaneously or the ability to do all that without anyone knowing.

Feeding that access back into the safe analogy, the access they are trying to achieve is not just to be able to break into any safe they want but to be able to remotely, secretly and nearly instantly determine the contents of every safe, owned by every person, store, company, pub, rotary club, church, bank, school, oil corporation. Every political action group, every civil rights organisation, every media outlet. They want to be able to find out which pornos a 17 year old has stashed under the mattress and what's written in your daughter's diary.

But more than that. They want to be able to record it all - not just what is in there but when you put it in and when you take it out and if you transfer it to another person's safe, whose and when they take it out and who they transfer it to. They want the ability to invisibly copy the the contents of your safe - unknown to you - and keep that information forever.

But it doesn't stop even there because this ability, to break encryption seamlessly and without anyone knowing it's been done, also allows someone to alter the contents of your safe when you're not looking - to remove a photo you've stored or to corrupt a document so you can't read it anymore. Or to add stuff in.

And that's worse and the analogy can't keep up, even stretched as it is, because the abiity to decrypt your information allows for 'man in the middle' attacks which, in concert with the existing ability to interecept communications can alter your data in transit if so desired. A file downloaded from from a website could be replaced with what would appear to be the same file but was infact altered to infect your computer or device with malware - a key logger, for example.

The implications of this are just mind-boggling and no analogy, no matter how relevant it might seem, can capture the full scope of what is being proposed. Any attempt to explain it in such a way risks misleading or, is designed to do so.

No, metadata is not just like the address on the envelope and the ability the government is arguing for is not like being able to enter a house. (Regardless of warrant.)

* - To keep the analogy in line, we can imagine that individual safes can't be identified - for example by a serial number - and so a per-unit code hard-wired code is impossible.

dan1980

Re: Chasing criminals or controlling the populace?

@elDog

Well, even assuming that it isn't a 'smokescreen' and their goal really is to stop terrorism and very serious crimes, the problem is that these measures just aren't provably effective for achieving that end but they are effective for monitoring the general population and policing comparatively minor crimes and, of course, for cracking down on whistle-blowers and people leaking information to the media and indeed for identifying journalists disseminating that information to the public.

And, because these types of measures are effective in that space and because there is often very little in the way of restriction or oversight in how they are applied, that is what these laws and capabilities are used for in practice.

And even if they are also used for the purposes advertised, those events are orders of magnitude rarer than the more minor, non-'national security', non-'serious crime', situations, so on balance, these laws become, by de-facto, for the policing of those minor crimes and the monitoring of those non-high-threat individuals.

dan1980

@Six_Degrees

Didn't you hear him? He said it "will inexorably affect [his] ability to do that job".

Isn't that proof enough? No? Oh, right.

Hacking Team: Oh great, good job, guys ... now the TERRORISTS have our zero-day exploits

dan1980

A vulnerability is just that

And this, ladies and gentlemen, is the problem with the concept of hoarding exploits - they get out.

This should be instructive for our governments when considering their various proposals to mandate 'crackable' encryption - these 'tools' they covet and demand are vulnerabilities and their existence is a security risk whether they are 'in the wild' or hoarded by a government agency or a private firm.

One thing we need to clear up is this misconception that having someone trustworthy controlling this information somehow makes it all okay. It doesn't; the vulnerabilities still exist. What has been managed is simply the knowledge of those vulnerabilities.

Someone else will come across the same vulnerabilities and, once that happens, you have instant risk to everyone using the software/hardware. There is also the possibility - some would say inevitability - that, as has happened here, the information will be stolen.

The fact that it has happened here should give every government pause. This is a company whose very reason for existing is identifying and understanding vulnerabilities. They get paid to understand the world of 'cyber security' and what is required to breach systems. They are a professional outfit with serious commercial incentive to keep this information safe* and they were breached.

Remember - a vulnerability does not magically disappear simply because only the 'right' people know about it. Sooner or later, someone else will - no matter how clever those protecting that knowledge or how sincere their intentions.

* - After all, if the vulnerabilities are patched, their products become ineffective and thus their business has nothing to sell.