Posts by dan1980

The upshot of this law can be stated simply, in relatively plain English:

You cannot use encryption that you are unable to break or to which you do not have a key.

This is the nuts of it: the requirement to provide 'intelligible' (i.e. plaintext) information has, as a necessary pre-requisite, the ability to obtain this in the first place. There are only three ways this can be done:

• No encryption at all
• Knowing the keys (by recording user passwords)
• Deliberate use of flawed ('back-doored') encryption

Saying that the bill doesn't provide authority for the government to "require or prohibit any design" is rather disingenuous because there ARE designs that are prohibited - specifically designs employing strong encryption where no keys are recorded.

They have been rebuffed time and again and ridiculed for their insistence that encryption can simultaneously be breakable by 'authorised' parties while being secure against unauthorised parties.

So they have decided to just ignore the implementation and simply focus on the result they want, trying to legislate that software providers must square the circle.

Let's blow past all the ethical reasons why this is ridiculous and even past the reasons why weakening encryption is dangerous.

Instead, let's just focus on the practical, logistical implications for the existing technology companies who would be covered by this.

There are thousands of pieces of existing software, currently running on all manner of hardware, that would need to become compliant with this legislation. All that software would need to be re-written and re-deployed.

That's not quick and it's not free. So, while companies may be compensated (by the tax payer) for the effort requiured to hand over the data for each request, who pays for them to re-write their software? To delay product launches? Arranging for updating of existing devices? User communication? Support?

And that's before we talk about interoperability and communication between hetergenous systems - something that's sort of important in the modern, connected world.

How can you have software from different vendors across different hardware communicating without standards? And what standards can exist when each vendor is charged with coming up with their own solution?

So yes, the privacy and security issues are HUGE but even at the simplest level, this legislation is insane.

Uber also complains that it is required to hand over more information because it operates over the internet, noting that the requests "differ or exceed what regulators demand from offline companies."

That's because you have that information, guys. The reason an 'offline' taxi company doesn't have to hand over the details of passengers is because it doesn't (generally) collect that data.

Are these Uber mouthpieces even aware of the hypocrisy in complaining that their use of mobile phone 'apps' and online booking, payment and processing shouldn't result in them being treated differently while simultaneously inisting that heir use of mobile phone 'apps' and online booking, payment and processing means they should be treated differently?

Putting that aside, however, there is indeed an important question here. Several actually. The first is: why is this information needed by these authorities? Anonymised trip data sure, and employee (driver) data is also understandable. Both of these - and certainly the latter - are kept by normal 'offline' taxi companies and they are relevant to all manner of compliance matters. But actual customer (passenger) details cannot possibly be relevant.

If that was the case - that identifiable customer data was critical to some function or regulation - then non-online companies (like ordinary taxis) would be required to collect and record this information.

It's a case of "it's available so we'll grab it" and that mentality is one of the core reasons that we (in most 'western' democracies) are subject to such unprecedented and unrestrained surveillance. If data exists, there is the expectation that it is fair game and should be handed over as a matter of course. The questions of privacy and necessity and proportionality are never even considered but those agencies and authorities who make the requests.

On the business side, this mindset is just as entrenched and just as pernicious. Customer data of any and all types is collected and recorded and measured and compared. It is marketed to and sold to third-parties and often stored with little regard for the security or privacy.

Having every part of our lives recorded and analysed has somehow become just the done thing and it seems that many people simply accept it.

I am not suggesting that Uber could feasibly operate without collecting and recording customer data but certainly their use of that data goes far beyond what is required to provide the service. But, whatever the case, the government and their agencies and authorities do not see any problem with demanding this data, despite it not being necessary for them to do so.

Instead of big rubber stamps, every request for data like this should go through a rigorous and tightly-controlled process where the specific information being requested is identified and scrutinised to ensure that only the data that is actually necessary to a specific, identified and justified function is obtained.

Access to personal data must be seen as exceptional, not the norm.

Rant over. For now . . .

No more category 1 or 2 - that's the 'simple' answer.

How can you POSSIBLY claim a 'skills gap' for positions that are, largely, unskilled?

A comprehensive answer, of course, requires far more and I would suggest that both maybe green card application rates and definitely wages paid could be used to determine those abusing the system.

While the idea of a 'warrant canary' is a good one, is there any reason it can't be updated more regularly?

Having one at all means that you want your users to know so they can act accordingly. And, if that is the case then wouldn't you want your users to know as soon as possible?

Might you not also have several canaries to cover multiple possible NSLs?

Sure, that's a bit more work but might it not be to the site's benefit? As the author says, the secretive nature of NSLs means that, while this could be a very narrow, well-justified request for specific information on a single person, it could also be a wholesale integration of Reddit servers into the NSA's data-gobbling behemoth.

And, while the former may seem more likely to some, when the secrecy is coupled with the known range of the NSA's powers and their proven eagerness to use them in exceptionally broad applications, the latter possibility cannot be discounted.

That being the case, there are those who will now assume that this is the case and as a result may cease using Reddit entirely.

So might it not be better then to maintain multiple 'canaries' - one for specific requests, one for broad scoops and one for the wholesale compromise of the site and its users' data?

Again, that they do this at all shows they want to inform their users of when the government is poking around, and part of that is no doubt to give their users more confidence and trust in the site. A binary NSL/no-NSL flag doesn't seem the best way to do that.

It's great isn't it - we hear people like the FBI bang on about how laws need to be updated to address modern technologies but happily use a law first penned at the same time that the most effective long-distance communication technology essentially involved waving flags at each other and the cutting-edge of electricity production involved hooking up a series of frogs legs.

But, even so, ignoring the technical differences between then and now, there is a far better reason why this broad law should no longer be relevant, which is the LEGAL difference between then and now.

We are talking about a law that was written less than a decade after the Constitution!

Such a broad law, though potentially dangerous even then, made far more sense for a new country lacking an extensive series of legal history and precedents. That is manifestly not the situation to day and the US has had long enough to flesh out the legal system into a far more comprehensive one than it was a handful of years after they set down their muskets.

I.e. it was a rough but pragmatic stop-gap to help build the legal framework of a new nation which is now being twisted to ends that could not have been foreseen. That the law still exists shows exactly why we should always be wary of governments that want more powers - for whatever reason. Once they have them, they will not willingly give them up.

"One of the key new features is the delivery of Project Centennial, which Myerson called a "desktop app converter." It will wrap desktop applications for delivery through the Windows Store. A version of the Sage accounting system will be an early example."

Fantastic! That will certainly help fulfill Microsoft's promise (to itself) that it will exert more control over and, more importantly, take a cut of every bit of software running on Windows.

But even with good features being added, it must be remembered that with automatic updates and the idea of a 'free' OS, what Microsoft giveth, Microsoft can taketh away. One day you will have feature X, the next day it may be replaced with feature Y or gone altogether. Of course, it's likely that features removed will be made available through more dependence on 'cloud' - whether warranted or not.

Microsoft's no.1 hate is PCs that are offline and static and all their efforts, no matter how they are presented, are aimed at getting as many people as possible connected to and reliant on Microsoft's online systems, as often as possible.

The question is not one of features or usability but of control.

Hang on . . .

So, setting aside whether it's a good idea to have your project rely on such a string of (sometimes elementary) dependencies, let's just accept for the moment that that is simple the way it is and deal with the situation.

The house of cards, in this instance, came crashing down because a particular package was no longer available.

The 'lesson' NPM have taken away from this mess is that the structure is sensitive and if something happens to a package - even a small one - then there can be flow-on repercussions of quite a large scale.

Have they realised the irony where this all started by handing control of a package to a different author? Yes, yes version numbers etc . . . but it's all a little amusing to me.

We hear a lot about smaller storage companies - when they (nearly inevitably) get bought by the 'big dogs' and established players.

And when that happens, who knows what forms the integration will take and what the result will be?

Take something like VDI-in-a-Box (not a storage player, admittedly!), which Citrix snarfed up from Kaviza a few years back. At the time, VDI-in-a-Box was promising and looking to the future and adding more features to make it a more complete solution that was viable for more companies.

Citrix bought it because - in my cynical mind - such an expansion for the product would directly compete with XenDesktop. So, they bought it and set it in stone as the 'small' option, meaning that if you wanted more features, you needed XenDesktop, thus artificially ensuring that that product still had value.

The problem is that this required, essentially, freezing VDI-in-a-Box and thus there was never an upgrade path to migrate to XenDesktop and get those extra features that Citrix ensured were the sole province of their pet software.

This is the crux of the issue with smaller tech companies.

They offer something different - some different and easier way of doing things, like VDI-in-a-Box - but don't yet have the full features or compatibility or reliability or service presence to compete with the established players.

They are either snapped-up at that point to add the capabilities/technology to an existing port-folio or they continue to close the gap as the product matures and are then gobbled to either add a more complete product to an existing line or to, effectively, kill the impending competition.

Yes, it's cynical and sometimes companies really do intend to continue and develop the technologies they have acquired, but even then that process often fails or is not profitable enough and these offerings are 'streamlined' away to concentrate on other things or simply to cut a bunch of staff and make some quick turnaround for their EPS and keep the analysts happy.

"Thin-fat"

Never heard that term before, though I've been working with it for ages.

This is, in my opinion, the best option most of the time. Thin clients are great - they are, generally, easy to deploy and pretty sturdy, light on power consumption and easy to tuck away.

But they are very cut-down devices and you lose all flexibility and ability to handle odd situations. A 'real' PC is far more useful and can be easily configured to work as a thin-client while still preserving the ability to utilise the extra functionality if required.

The problem with thin clients now is that they don't offer enough of a saving over the basic business PCs you can buy from, e.g. HP.

I have worked with a LOT of remote desktop/app/citrix/etc... environments and in nearly every environment there are a few users/roles that just require a normal PC. Once you have that, you have a heterogeneous environment and you lose some of the benefits of a uniform thin-computing model.

For example, many thin clients come with management and imaging software that won't be relevant (or extensible to) fat clients so you need another way to manage those. If you have all fat-clients (however they are used) then you can deploy a management solution that captures all of your devices and allows uniform monitoring and management.

There are other concerns, to be sure - like patching - but if you have even a handful of 'fat' clients then that's something you need to address anyway.

In the end, if thin clients represented a real dollar saving over PCs then they would be more attractive but there's just not a big enough saving to warrant the loss of flexibility.

"The inquiry is couched primarily as a cost-benefit analysis, looking at laws that “unnecessarily restrict the availability and linking of data”."

Yes, well here's the problem with all such measures that might impact privacy - whether it's surveillance or regulations for industry or new 'initiatives': the phrase "unnecessarily restrict".

Our government, and indeed most "leading jurisdictions", simply don't view personal privacy as important at all. This sees them prioritising other concerns/goals and being willing - often eager - to sacrifice the privacy of their citizens for even the most questionable, unproven or meager benefits.

In other words, they tend to view privacy as "unnecessarily restrict[ing] the availability and linking of data". They also view security and concerns of efficacy or about the actual economic benefit as just 'red tape' and, therefore also "unnecessarily restrict[ing]".

If police officers had to actually make a case that they needed access to your private data or get a request approved first then that would "unnecessarily restrict" their ability to catch witches commies paedophiles and terrorists.

That's why the new online, 'eHealth' record 'trials' are opt-out and why they are going ahead despite the still numerous unresolved concerns about privacy and security.

I hear spokespeople on the radio and TV barely stopping short of announcing it as a panacea to all that ails the medical system - It'll be efficient and effective and secure and everyone will love it, don't you know? In fact, they are so sure you'll love it that they'll even go ahead and sign you up for it automatically.

After all, who could possibly be opposed to having U2's amazing new album forcibly inserted into their collection having their personal and private medical information uploaded to shared database?

And this will be no different - we'll hear all about the 'ideas boom'* and how we 'have to change' and something, something, something 'economy' and 'clever' this and 'smarter' that, and all the concerns about security and privacy will be waved away and all the questions about the benefits ignored our politicians' customary blend of ignorance, exaggeration and out-right lies.

What else can we expect from people geared toward valuing self-interest and short-term political gain over solutions and long-term benefits to society?

* - A phrase that already prompts me to take a few deep breaths and quietly count to ten.

Standing clear amongst all the misrepresentations and evasions is one huge problem: this all assumes that those with the ability to decrypt our private data are, and always will remain, unimpeachably ethical, weighing each and every decision to deploy their intrusive abilities and only doing so where there is the greatest of needs.

I say this is the big problem because it still exists EVEN IF you assume, as our governments and agencies want us to, that what they want is actually possible and that it won't result in other parties exploiting these not-backdoors.

Hard experience shows that nothing could be further from the truth.

"The New York case was addressed by FBI director James Comey at a Congressional hearing on the Apple case last week, where he acknowledged that the FBI had lost. He tried to play down its importance by suggesting it was just one fight in a much larger battle."

Right, so they aren't trying to set a precedent and this is all about each specific case, on its merits and they are entirely unrelated. But it's just one fight in a larger battle.

And what is that battle, director?

Reading his submitted statement, I see this:

"The core question is this: Once all of the requirements and safeguards of the laws and the Constitution have been met, are we comfortable with technical design decisions that result in barriers to obtaining evidence of a crime?"

Fair enough, but one can also approach it from the other side:

"Are we comfortable outlawing technical design descisions aimed at providing privacy for individuals on the the basis that this may form a barrier to obtaining evidence of a crime, thus weakening the security for millions of innocent citizens in order to more potentially obtain data that may be useful in a handful of cases involving a tiny fraction of the population?"

Because that's what they are saying - they want the ability to restrict the level of security and privacy available to everyone on the justification that it has the side effect of making it more difficult for them to get some data on some tiny subset of people.

I find that it's best to start with WHY you are backing something up.

In normal operation, with everything sunny and happy, backups are usually irrelevant. So the question is: what potential situation or request are you trying to resolve by recovering a backup?

When it comes down to it, there are three main reasons to back up data: recovering lost/changed data, recovering lost infrastructure (from a server to the entire building) and archive/data discovery.

Some backup solutions can work for all three but each of the scenarios have different priorities and requirements such that a system that covers all of them is likely not the best fit for any - or at least only for one.

For example, some data may need to be kept for several years but this is usually only a small subset of total data and infrastructure. Using whole server backups to fulfill this function is fully possible but keeping weekly backups of an entire server image for 7 years is going to cost you rather a lot in storage.

As another example, backups for the purpose of disaster recovery should be kept offsite, but this is inconvenient when one wants to restore a file that was accidentally deleted. This might not be a big issue with a larger company that has the budget for an offsite location with a fast link where the backups are held but for smaller businesses, they will more than likely be relying on external hard drives for disaster recovery purposes and thus 'offsite' means inaccessible unless specially retrieved.

So, when if comes to small businesses, the best way to approach things is to split it all up into these different purposes and figure out the best solution for each. Depending on the business and their budget, it may be that two birds may be accounted for with one stone but other times, three separate processes covering the three requirements can work out cheaper and more reliable.

Setting aside any questions of preferential treatment for patent applicants and focusing on the reasons for this strike, it shows teh bad side of unions and why they can be so despised by people on the other side of the divide.

I think unions fill a very important role in addressing the huge power imbalance that can often exist between employees employers. Unfortunately, this can (and all too often does) result in unions becoming unreasonable bullies.

After all, what was being proposed?

Recognition based on performance rather than pure longevity. While allowing for the fact that such a system can people rewarded for toeing the line and having the right connections (rather than their actual performance), I have worked for and with organisations that determine pay and promotions primarily on longevity and it's not great. The people who are energetic and hard-working tend to either get jaded or simply leave to to find a job where their effort will be rewarded, while those who are promoted tend to be the ones who simply stuck around and didn't make waves or go out of their way to really do anything.

This change was of course strongly opposed by the union and did so, it seems, in a rather nasty manner.

Which then prompted a retaliation and here we are.

It's not a unique story.

"Dear storage industry: shut up"

Trevor knows the love I gots for him and we see eye-to-eye on many issues but this is possibly the most perfectly succinct and accurate line he has penned.

That said, the several comments about new versions messing up UIs is spot on as well. I could count the number of times a new version of something - at least in recent years - has improved the UI on one hand. Or at least I could if any came to mind . . .

People like Apple, EA, Google, Microsoft, Valve and others want to set themselves up as gatekeepers through which all content flows.

In all instances, the claims are around integration and simplicity and so forth but the goal is always the same: control and market share. MS in this instance are doing exactly what I and so many others have long said they would - change their business model to more closely match Apple and their App Store/iTunes ecosystem.

While all this is indeed true, I really don't know what saying it will achieve because it's not as though it hasn't been said a hundred times before.

The government just doesn't care - they wanted it so they were going to do it come what may. They refused to accept the validity of any of the worries or criticisms then so anyone who thinks there's even the slightest hope of them admitting any of this now is, well, let's say that I marvel at their optimism.

Watch this utterly fail to address breaches by police.

". . . it’s been the iPad toting, cloud-friendly sales and executive classes who have driven uptake of business software providers such as Salesforce, side-lining the more considered counsel of those in IT who could have taken a more measured approach. . . . However, according to Gartner, vendors are also guilty, putting self-interest ahead of their customers."

Yeah. Just, yeah.

Something, something, something "cloud", something, something, something "complete". (Link)

Did I just read:

"Stop throwing away our money or I will make you throw away our money"

?

That said, I do agree that the enthusiasm over the new shiny-shiny shouldn't leave you neglecting your core business, though that applies whether the new thing is making money or not.

Of course, if it's not making money then that goes double because even if you forecast a new juicy revenue stream in the future, you still need your current streams to support it until that point.

Ahh yes, standard justification - they are "aligning" and "simplifying" in consideration of their customers.

I would be keen to find out, however, how halving "simplifying" their SKUs from 6 to 3 allows them to better "align" with their customers.

Sure, someone currently one Enterprise will be able to equally fill their technical requirements with Enterprise Plus but then so would someone on Standard so why keep that? If such "simplification" is good then why not take it further? Why not just offer one SKU that does everything?

Now that would be some alignment - no matter which VMware features the customer needs, the SKU will be able to deliver - couldn't be 'simpler'.

Dear US (et al): please take note.

The idea that data can be secure but magically able to be accessed by 'authorised' parties is naive enough. Anyone who thinks that other countries (who may or may not be unfriendly towards the US) can't or won't follow suit is not only naive but stupid. Dangerously so.

Strong encryption is the best way to make sure that unintended parties do not get their hands on information and strong encryption is incompatible with laws requiring a third party (any third party) to be able to arbitrarily decrypt any communication or packet of data.

The two cannot co-exist: if a third party can decrypt your data, the encryption is, ipso fact, not 'strong' and not suitable to protect the data.

I think the recent revelation of DROWN and its roots in (forced) weak cryptography should be proof enough of that.

This story (and others just like it) shows what the problem is.

Well, the core problem is a lack of integrity and respect for privacy amongst those who's sense of self-importance makes them believe they are above such concerns. But, that's a problem that's impossible to eradicate because law enforcement personnel are humans and humans will tend to abuse power and lose perspective if left unchecked.

Thus, the key issue is that police are left largely unchecked.

However trustworthy an individual officer may be, as a whole there will be numerous breaches, some of which will be minor but plenty will be deep breaches of privacy and some will turn out to be serious disruptions of legal proceedings.

That the talk is of how to deal with officers who abuse these systems raises the question of why a group of people (police officers) who have been PROVEN to be unable to be trusted* are allowed access to such a large amount of highly-sensitive private data in such a way that it is even possible for them to misuse it?

Obviously you can't stop someone disclosing information they have viewed but how is it possible that someone can use these systems 'without authorisation' to view the data in the first place? That should simply be impossible.

But, of course, any semblance of security or insistence on due process is an unacceptable hindrance to catching pedophiles and violent criminals.

The double-standards are beyond the point that I can laugh. The police are always calling for strict laws that impact everyone in order to police a few - lockout laws in NSW and motorbike club laws in QLD or the recent rubbish with the police trying to ban soccer fans marching en masse to games.

When it's someone else, they feel that restricting and inconveniencing everyone is acceptable in order to stop a handful of people doing the wrong thing but when it's them, well, that's totally different . . .

* - I mean as a group. As individuals, the majority are just as you'd hope (and expect) them to be but it only takes one instance from one person to cause serious issues.

As Richard notes, many 'connected' devices won't function at all (or only in VERY limited capacity) if they aren't constantly in contact with the vendor's servers. Even if there's really no need for real need for them to be designed that way.

The real worry is not these Internet-connected devices must be connected to function but that more any more appliances will only be available as such 'smart' devices.

That's already happening with many televisions, where they all have 'smart' features and Internet connectivity. At the moment, I'm not aware of any TV that REQUIRES Internet connectivity for basic functionality but it does not seem far-fetched. Now, I doubt that such a TV would prevent you watching a channel if it was disconnected but I can easily imagine the TV guide functionalities being moved to an Internet service - or even the ability to tune the channels at setup. You'd have to create an account with the manufacturer, of course, which registers the TV to you and so on.

I might want a phone that doesn't track me via location services and leak my information all over the place but it won't be long before these types of phones are the only ones available.

In short, as time goes on, our options for choosing devices that respect our privacy are diminishing.

But I want it . . .

"Smith said US cloud providers were also under pressure from foreign states to disclose data on US servers. Microsoft had been hit with a criminal fine in Brazil for refusing to do so."

Um, yeah. You know that recipient of so many pointed fingers: China? Guess what . . .

"[The SCA] had saved the US going through the much lengthier MLAT (mutual legal assistance treaty) process."

Yeah, and if you allowed law enforcement to just enter any property at will and detain people without probable cause and abolish their Miranda rights then it would 'save' them having to go through the 'much lengthier process' of getting warrants and going to trial and, you know, following due process.

Yes, international politics is sometimes messy and often slow and that can certainly result in delays in law enforcement actions. But that's the price of wanting to engage in international trade - you have to create treaties that lay down what can and can't be done and how - across a whole range of areas.

It's also the way you show that you respect other nations and their citizens.

But, given the most nations don't seem to respect their own citizen (and the US is right up there), it seems almost naive that they would even consider foreign citizens to have rights at all.

Actually reminds me of the end of Guardians of the Galaxy where Rocket Raccoon asks whether it's illegal to take something that doesn't belong to him:

Rocket: What if I see something that I wanna take and it belongs to someone else?

Nova chap: Then you will be arrested.

Rocket: But what if I want it more than the person who has it?

Nova chap: Still illegal.

Rocket: That doesn't follow. No, I want it more, sir. Do you understand me?

"Gates' larger point is that, in future, terrorist acts may be larger and scarier than random shootings and could include nuclear or biological threats. Under these scenarios, the government "shouldn't be completely blind," he argued, but there should be "safeguards" to prevent abuse."

I understand this point of view because exceptional circumstances can justify exceptional measures.

The problem is that law enforcement and government not only do not draw the lines where common sense would put them - they don't seem to accept any lines at all.

They argue for exceptional powers to prevent exceptional threats but then, once they have them, they become part of the day-to-day operations and any restrictions on their use - whether through narrow conditions laid out in law or requirements for court-orders or even just approval and oversight - are shot down as preventing law enforcement from having access to the tools they need to do their jobs and therefore responsible for putting lives at risk.

In short, law enforcement demand access to exception powers but refuse to be bound by any limitations on the use of those powers.

So, while the solution Gates discusses seems at least somewhat reasonable, it is simply not going to happen because the other side aren't willing to compromise.

"And how exactly do you, under the US Constitution, force programmers to write software . . ."

Surely that is the pertinent question, no?

Taking this out of the digital/computing realm and into the (slightly) more familiar physical world, we can compare this to a safe manufacturer.

A safe manufacturer might be compelled to assist authorities by opening one of their safes using proprietary knowledge.This could be considered a sort of 'back door' in that the safe will likely have been built in such a way that one can open it without the combination - but only with detailed technical knowledge of its construction.

Expanding on that, it is likely that, at least in advanced designs, specialised equipment will be required and this equipment may only be accessible to the manufacturer.

Well and good, but let's imagine that the required specialised equipment does not exist. That is essentially the situation with Apple - the FBI is asking them to use their knowledge to custom-build a tool to break into their product.

Which law grants them the power to compel a company to do such a thing?

But the best thing about Eurovision (Polish milk-maids aside) is the word "Azerbaijan" being repeated ad-nauseum!