Posts by Michael Wojcik

Re: Fore!

Was this approved by a state judge and therefore were all of the servers in Texas?

No. Seriously, the answer to this question is right in the links in the article. You can't take a few minutes to check?

I admit the phrasing in the article is ambiguous: "The action was OK'd ... by a Texas court" is true, in the sense the court is in Texas, but it's not a court of the State of Texas. It's the US District Court for the Southern District of Texas. The servers were in several states. From the warrant application:

19. The presumptively U.S.-based Microsoft Exchange Servers, corresponding to the approximately web shells in Attachment A appear to be located in five or more judicial districts, according to publicly available Whois records and IP address geolocation. These districts include, but are not limited to, the following: Southern District of Texas, District of Massachusetts, Northern District of Illinois, Southern District of Ohio, District of Idaho, Western District of Louisiana, Northern District of Iowa and Northern District of Georgia.

Re: FTFY

Issued on the 9th, unsealed on the 13th. It's not like they kept it a secret for long. It's not out of the question that they kept it sealed to avoid tipping off Hafnium and others who might still be using those web shells.

Re: Now you know you can blame the FBI if similar things go TITSUP in the future? *

Not "essentially a warrant" – it was a warrant. It's unsealed now and mostly redacted; the article contains a link to the FBI announcement, and the announcement has a link to download the unsealing order and the related documents. They're right there to be read.

The warrant is pretty specific. It was signed by Magistrate Judge Peter Bray of the US District Court, Southern Texas. FWIW, Bray has an engineering degree, and he was a Public Defender for 14 years.

The warrant says it was requested by telephone, and it was issued the day it was requested, so it's not like Bray spent a lot of time agonizing over it. But I don't see any grounds for claiming it was just rubber-stamped.

(I know. What kind of a nerd does actual research before commenting?)

Re: Dangerous precedent.

I'm not complacent about this action, but it's significant that they did get a warrant – so they had legal authorization and satisfied the Fourth Amendment requirement – and they only got into the servers because malware was already installed on them, which means those sensitive documents were likely already in someone else's hands anyway.

Re: Why the fuck

Linux users know how to use their operating system and bash it into making it work how they want it to

Well, to be fair, I do use bash to make Linux work as I want it to. And for pretty much everything else I do in Linux.

Sometimes ksh, if that's what my account has been set up with on one of our build VMs and I haven't bothered to change it.

Re: Lord Hawley

Well, yes. He's a would-be autocrat hoping to become Trump 2.0.

I don't think he'll make it. He's better-educated (went to Stanford and Yale, don't'cha know) than Trump, even if he still manages to be dumb as a brick; and he's more successful. However much he panders to the deplorables, I don't think he'll wash off the perfume of the elite.

It's a stupid plan anyway, because Trump wasn't the real power for the past four years; McConnell was. If Hawley were half as smart as he thinks he is, he'd be aiming for Senate Majority Leader, and working to retake control of the Republican Party from the populists. Trump supporters aren't going to desert the Republicans any time soon even if the Republicans go back to ignoring them, and voter turnout is easy enough to crank up with some well-placed outrage at the last minute. The GOP doesn't need another Trump -- they just lost sight of the ball in 2016.

That said, I'm happy if they continue to fight internally for the foreseeable future, and Hawley continues to make an ass of himself.

Re: inertia by the incumbent telcos is also a big contributing factor

It wasn't "inertia"; it was baldfaced regulatory capture. Pai was there to do the industry's bidding and everyone knew it. (Simington is just as bad -- a toady if ever there was one -- but less dangerous since the balance of power has shifted.)

Re: It is fine

There's certainly something to be said for familiarity. I still write a fair number of ad hoc analysis scripts in awk (or gawk, really). I wouldn't argue awk is good in any objective sense – though when its three famous authors created it, it was a terrific tool that didn't have any rivals, at least on UNIX. But I know it, and the scripts I'm writing don't need to be maintained (they're one-offs, even if I put them in source control just like everything else), so it's useful for me.

I do not like Perl, but I respect it, because the things I don't like about it are mostly explicit design decisions by Larry Wall, and I respect Larry and his rationale. Contrast that with PHP, which seems to be awful mostly because there's no design at all.

By the same token, I don't actually like traditional COBOL – I don't really care to write or maintain code in it – but I respect it because it was designed, and designed according to the principles that were understood at the time. And it's evolved; the 1985 standard helped a lot, and the 2002 standard helped somewhat more, and the major implementations offer extensions and relaxations which help more. (And managed COBOL is a modern OO language with access to major frameworks. Aside from a few historical infelicities, managed COBOL is quite nice.)

Re: Toxicity

I recall highly contentious flamewars on Usenet back in the day

Definitely. This was true even pre-Usenet, in the era when listservs stalked the plains of BITNET and the IBM HONE network was larger than the Internet.

It's endemic to the nature of online written communication, which has nearly the immediacy of speech (because it's so easy to dash off a reply, compared to hand-writing a message; and even with email, delivery is much faster than the post or any other print transport), but lacks the additional channels of gesture, facial expression, prosody, etc. And it has the authority and durability of print.

'94 was also the year of the Flame Wars special issue of SCR, edited by Mark Dery, and if memory serves at least a couple of the pieces in that collection touch on the phenomenon too. I imagine Dery himself, a longtime observer of online discourse, could have discussed the question at length even some years before that.

It's not a matter of having "forgotten" how to discuss with respect. It's a frame that's strongly conditioned by the medium. We've known for decades in Composition Studies that media have a powerful influence on rhetoric and discursive pragmatics; methodologically-sound studies drawing on large corpora have shown that consistently. Similarly for work in sociolinguistics and probably in other fields. You can see that as confirming the theories of the Frankfurt School, or Marshall McLuhan, or Hayden White, etc, if you wish. (Personally I like the Frankfurt, find McLuhan rather lacking in rigor, and think White's Content of the Form is interesting but not particularly surprising.)

I touched on this topic in an article I published in Works and Days in 1994, and it was widely recognized then by people using online forums of various sorts.

Re: Cult and control

There have been at least a few longitudinal studies of interactions among contributors to large open-source projects, typically by doing things like discourse analysis of public mailing lists. (There have also been some studies of such interactions in large proprietary-software projects, but those often have the luxury of direct access to developers, so they can use additional methods such as ethnography.)

The politics of those groups are complicated and tend to lean very heavily on in-group recognition and reputation. In-group-ness is often signaled by references to shibboleths which are not apparent to outsiders – usually the result of historical feuds or the whims of project heroes.

Re: But I bet it does contain a lot of cruft

Have you seen how many date and time modules there are which all do the same thing?

Sawyer was talking about Perl Core, was he not? So not about modules.

Modules are contributed. Core code is under the control of the core maintainers.

There's the language, and there's the implementation of the language. My impression from the article is that Sawyer was talking about the latter, but I could be mistaken.

Re: "he is essential to its mission"

Did anyone say he was?

Re: What About Rust?

Even to the limited extent that this is true, so what? Breyer's decision holds that API use is fair use. It doesn't matter whether the API is contained in the same file as the implementation – either way they're the same "work" for purposes of copyright law.

USC 17 is not a particularly complicated piece of legislation, even if its ramifications are. Just read the first section and its definitions. Proximity has no effect on copyright or fair use.

All the states have laws on the books which were found to be unconstitutional and thus unenforceable. Legislatures are reluctant to make the effort to clean this stuff up, partly because they all have personal projects to fight over, and partly because it's politically unpopular. People who don't like those laws know they're unenforceable anyway, so aren't very bothered one way or another; people who do like them (and there's no shortage of those idiots) get bent out of shape when someone tries to get them removed.

Just a few years ago the legislatures of both Tennessee and Idaho passed laws endorsing the Bible¹. This happens every few years somewhere or other. Typically the governor of the state will veto it, because everyone with an ounce of sense knows it's just asking for an expensive lawsuit the state will lose. In Idaho's case, it violated both the Federal and state constitutions, making it a particularly boneheaded move.

When I lived in Nebraska, there was a ballot proposal to amend the state constitution to remove a provision, added in the 1940s, forbidding the teaching of German in public schools. Of course that had been struck down pretty much immediately after it was passed, so it had no effect anyway; it was just embarrassing crap stuck on the constitution. The ballot issue failed – a majority of voters decided to keep an unenforceable constitutional provision forbidding the teaching of German.

Of course this is why we have constitutions and supreme courts, and why "direct democracy" is a terrible idea. (The movement in the US, from the 1970s on, promoting ballot initiatives and other direct-democracy governance, was largely funded by right-wing groups interested in defanging the regulatory state by sabotaging the legislative process. It's been pretty successful.)

¹Some Bible, anyway. Often the nitwits who write these bills don't specify.

Re: APIs might be subject to copyright

it's hard to discount the possibility that copyright applies to APIs

I really don't think it is.

Rupert mentioned the "process, mechanism, or function" test (USC 17 §102), which APIs do not pass. The First Circuit's 1995 decision in Lotus v. Borland held that software UI "look and feel" failed this test. If things like menu items and button labels aren't protected by copyright, why would APIs be? (CAFC's two decisions, in 2014 and 2018, in favor of Oracle shows that not only are the CAFC justices incapable of understanding software, they're also incapable of observing stare decicis. Maybe the worst circuit in the country, and that's saying something.)

US courts have consistently held that titles, chapter titles, and other short phrases are not protected by copyright. APIs are more similar to chapter titles than to anything else in other "literary works" (which are what software falls under in USC 17.

Re: Don't have to ban the payouts...

but once the criminals no longer get paid they will have no incentive to engage in ransomware attacks

This is a common but fallacious argument.

The cost of ransomware attacks is close to minimal, and there will always be some non-empty set of victims who will pay even if payment is illegal. Thus the return on investment for ransomware attacks will remain positive, and so they'll continue.

Moreover, many ransomware attack pipelines are largely or fully automated. Even if there were never any more payments, those systems will continue to mount attacks because there's no reason for their controllers to try to turn them off.

Re: Poor future historians

They'll describe it as a specific case of the general rule "almost anything else is superior technology to traditional PHP-based anything"?

Re: Unstable

My major complaint with Wordpress is the plugin "ecosystem" in general, as it's historically been a dreadful swamp of gaping security holes. The popularity of Wordpress and its plugins has done a great deal to help web vulnerabilities proliferate.

Re: "Doesn't at all make me want to use them"

I'd donate them to a charity shop myself. Don't see any reason to send them back to the original offender.

Re: Penny in the air?

Yay! Any online forum without its stable of regular kooks is a poor one.

A comments forum for a Reg particle-physics article will decay into an Electric Universe thread within 100 posts.

Re: Electrons or positrons?

"I worked in muon physics/chemistry for nearly two decades." just thrown in casually.

Indeed. Not the sort of thing I regularly see in Facebook comments.

(Not that I read many Facebook comments, it's true, so this is not a statistically-sound observation. And I admit that in the previous month I saw at least one comment on Facebook which was posted by someone with detailed technical knowledge of the subject, so it does happen. But still.)

Re: Cocaine

Replace it? It's not like coca leaves grow on trees!

Oh, wait.

Re: Cut out middle men

Sell it to Coca-Cola so they can come out with a line of Really Classic Coke.

Re: Cut out middle men

There's a difference between IQ and intelligence, too. "Intelligence" is a poorly-defined blanket concept which represents some arbitrary subset of many intellectual faculties, while "IQ" is a nonsense metric invented to promote scientific racism.

Re: Encyrption back door?

The maths say that you can break it with enough power and time.

A meaningless statement, in practice.

First, of course, "it" hasn't been defined. RSA? ADH? ECC? Some other key agreement protocol? AES? Some other symmetric cipher? Or is this just hand-waving?

Second, once you assume unbounded resources, the question is no longer interesting. If you have a decision procedure for determining what the correct plaintext is, you can just try every possible key, or even every possible plaintext, "with enough power and time".

Third, it's quite easy to scale cryptographic algorithms up to the point where there aren't enough resources in the visible universe to brute-force them using a conventional computer. It's quite easy to do that for symmetric algorithms and hashing even with general quantum computing. It's a bit harder to do that for asymmetric crypto (key agreement and signatures), but we have candidates with strong evidence for being secure under GQC.

It's vanishingly unlikely that any correctly-implemented, well-studied, modern cryptography was broken in this case. Any of the mooted alternatives -- bad implementation, false implementation (the "it was a trap" theory), insider compromise -- are all much, much more probable.

Years ago, Bruce Schneier famously claimed that cryptography was good enough, and that "if you think your problem is cryptography, you don't understand cryptography and you don't understand your problem". Since then there have been successful attacks on widely-deployed cryptographic algorithms (MD5, SHA1, RC4) and protocols (all SSL/TLS versions prior to TLSv1.2, pretty much anything using CBC and not making a special effort to mitigate padding oracles, etc.). And we have the perennial worry that maybe someone will get feasible large-scale GQC working and so we need post-quantum asymmetric cryptography. But Schneier's basic point was right: implementations and people are the big threats to communication and data security, not the underlying cryptography.

Re: Encyrption back door?

If it was actually end-to-end encryption -- a term of art -- then the service couldn't have discovered the keys. So we're back to a lie, a bad implementation, or tampering. At this point idle speculation is just that.

Re: Encyrption back door?

RSA depends on factoring. DLP and ECC do not; neither do the various PQC schemes in the NIST competition, for example.

I wish people who talk about "modern crypto" understood that it's not all RSA.

Re: Encyrption back door?

I'm pretty sure that short payloads are significantly easier to crack if you know the encryption

Only for certain broken protocols, and in the trivial sense that very short messages only have a small number of possible corresponding plaintexts. (If you intercept a single-bit message, you know the original plaintext was one of two bits, and the actual message was one of two possibilities.)

In fact large amounts of ciphertext are generally more problematic, though for modern algorithms and protocols, it's not an issue for most use cases.

and there's often "padding" put into short messages in real encryption to make it harder to crack.

Not really. A number of cryptographic algorithms and protocols make use of padding, but the technical reasons for that are more complex than just "it's too short". And as a practical matter, padding is more often a source of vulnerabilities, such as padding oracles.