218 posts • joined 11 Jan 2008
A little escape hole here...
Have a careful look at the text of the actual Presidential Directive: "In particular, when the United States collects nonpublicly available signals intelligence in bulk, it shall use that data only for the purposes of detecting and countering: [various specific threats] "
Two comments on that word "nonpublicly":
1. That's a word?
2. This text means that the restriction to the specific threats listed doesn't apply to publicly available bulk sigint (such as scraping Facebook pages).
Re: Seems reasonable to me
And yes, I will upvote this because indeed the issue is one of fair trading and consumer protection. Trying to use the common-carrier argument always struck me as strange.
Big fan of http://tools.ietf.org/html/rfc4084
Re: Conflicts of Interest
As usual, you don't understand the IETF, and in particular you don't understand that the IRTF is not a standards body.
Of course, all standards bodies consist of people with opinions, some of whom work for organisations with opinions. Of course, people communicate outside the official sessions and of course, rough drafts of documents exist before more polished drafts are made public. Of course,people try to influence the work in accordance with their opinions. How could it possibly be otherwise?
But I suspect we agree that making conflicts of interest as visible as possible is a Good Thing.
Storm in a RESEARCH teacup
And in case nobody else has pointed it out, he isn't co-chair of a "standards group". He's co-chair of a research forum - admittedly one that offers advice to various standards working groups in need of a crypto algorithm. And he's co-chair because having more than one chair lowers the risk of biased chairing.
Me, I think it's better to know that the NSA is interested in cryptography; but I didn't need Mr Snowden to tell me that.
Bulging in advance
"... cause the ground above to rise "hundreds of metres" in advance of the eruption"
Right. So you see this big bulge which says that there'll be a supervolcano there in 1000 years or so. What next? (I mean seriously, not unreasonable dreams like living on Mars.) I think there might be a bit of social breakdown.
Re: He refused to allow the NSA snooping rights.
For sure, if Mega was outside the scope of both National Security Letters and DMCA takedown notices, it would piss off both the spooks and the Mickey Mouse industry. But in that case, how can Mega also be inside the scope of US jurisdiction when it comes to this vengeful extradition attempt?
And note the tendentious language they use. By repeating the words "criminal" and "conspiracy" often enough, they hope they reader will believe they are true, rather then simply being allegations, which Mr Dotcom denies.
Also note how legal fictions can change to suit whatever you're trying to prove. Sometimes a URL that points to an infringing copy is itself an infringement. This time, deleting such a URL doesn't count as deleting an infringement.
Let's hope the Kiwi courts keep their eyes on the ball.
Switzerland and Crypto AG [Re: This just undescores...]
I think you need to look into Crypto AG a bit before being too bullish about Switzerland.
What ECMA does for a living
C# is ECMA-334. ECMAscript is ECMA-262; ECMA also backed the .docx junk as ECMA-376 before MS conned ISO into adopting it. JSON is ECMA-404. This is what ECMA does to survive; they don't like people to remember that their name stood for European Computer Manufacturers Association.
So, if you're shopping around for a standards organization to rubber stamp your favourite proprietary format, ECMA's the one for you.
Annoying when people like that are *right*, isn't it?
I found Bruce stimulating when I met him.
.cs? That was a problem in about 1985, when we had to handle some email addresses in JANET name order (email@example.com) and some in DNS name order (firstname.lastname@example.org).
But indeed ICANN is right - this stupid money-grab will lead to epic fails.
"Only the adult account holder will be able to change the filter settings."
So they have technology that can detect age from keystrokes do they? Given how many Aged Parents don't understand technology and leave passwords and crap to the kids, I really do wonder how it will work.
Worse: *anybody* can do that. The best trick is probably to generate a binary of an open source browser that happens to include some home-made CA certificates, post that binary on a juicy-looking free download site, sit back and wait. Also, at best, TLS only authenticates one end, even if the certificate is valid. The trust model for TLS is so broken that bad actors don't even need to worry about breaking the crypto.
Re: Beep beep
And today, I find msyelf agreeing with Don Jefe, unlike a few days ago on another matter. Impose Hollywood's and Big Pharma's view of IPR protection so we can sell more kiwi fruit, dead sheep and milk powder? There's a real risk the NZ government will take that deal. Beuh.
Re: Actual facts about the IETF
@Don Jefe: I call BS. What on earth makes you think that government pressure has substantial effects on the IETF? Please give chapter and verse. Of course engineers from vendors and operators participate in the IETF, which is why IETF standards actually relate to the real world. Again: educate yourself.
I do know exactly who steers the IETF. I mean I know them personally. I assure you that the quickest way to get shouted down in the IETF is to say "My company thinks...". And nobody is stupid enough to say "My government thinks..." because it would be greeted by raucous laughter.
Actual facts about the IETF
I think Mr Jefe should actually watch the video of the session at http://www.ietf.org/live/ or https://www.youtube.com/watch?v=oV71hhEpQ20. You can skip the first 22 minutes of routine reports.
And even read a few words about how the IETF actually works, for example starting at http://www.ietf.org/newcomers.html
Re: More to the point, let's fix the code
Yes, people in the IETF are *very* aware of the risk of crypto algorithms and implementations that have been suborned, but that is only one issue among many, and *all* the issues need to be dealt with. What we now know with great clarity is that if any attack on privacy is possible, it will be exploited, so every single one of them needs to be fixed. The risk of backdoors being exploited by bad actors was pointed out years ago:
" What this boils down to is that if effective tools for wiretapping exist, it is likely that they will be used as designed, for purposes legal in their jurisdiction, and also in ways they were not intended for, in ways that are not legal in that jurisdiction." (RFC2804, May 2000)
More to the point, let's fix the code
Signals intelligence agencies have been breaking codes for a hundred years now, and they aren't going to stop because TimBL says so. So the constructive approach is to fix the problem, by making the Internet surveillance-resistant. The IETF decided to do that for the protocols it specifies just yesterday, in Vancouver. What's the W3C doing to help?
Re: They have
> So who is right and who is wrong?
Apparently the Australians (and the Canadians) are more obedient to instructions from Washington than the Brits or the Kiwis. I don't think there's any sense in asking who's right, since the whole thing is founded on xenophobia anyway, and on fear of a rising economy while the West declines.
Why expect rationality?
Since this is all about paranoia, stereotyping, xenophobia, and political posturing, why would you expect any rational reason to be needed for anything?
Rationally, you are far safer from backdoors with Chinese kit, because their industry doesn't have the fifty years or so experience with modern signals intelligence that UKUSA companies have. PRISM didn't just happen by accident, did it?
Re: After all the sabre rattling....
Strangely enough, the revelation that routers from the main US vendors have been subverted makes the paranoia about Huawei more understandable: people who knew what was going on with Cisco and Juniper boxes (but weren't allowed to talk about it) would have good reason to suspect Huawei boxes, but couldn't say why, so they used rumour and innuendo.
You're right though - the Snowden revelations have levelled the playing field, and about time too.
Re: Europe should create its own Internet
We tried that. Didn't work out too well.
Re: Can you see where this is going?
"global body comprised of governments"? Who ever suggested that; even the ITU can't be described accurately as that. The suggestion always has been a multi-stakeholder body without governments having a deciding role - which to be fair to ICANN and the US Govt, is to a large extent what we have today. It just needs to be moved out of US jurisdiction, into a jurisdiction that properly recognises the status of non-governmental organisations.
I can't imagine, though, why anyone would think for a moment that divorcing ICANN and the US would break the 'net or stop the spooks, so I find the whole story very puzzling.
Re: Equal footing with Uncle Sam
That isn't quite the point. Nobody is naive enough to believe that smaller countries (economically speaking) can have as much influence as larger countries. The issue is that ICANN shouldn't function under the law and jurisdiction of any one country, because it shepherds resources for the whole world. It shouldn't function under the UN (i.e. ITU in this context) either, on the basis of past experience. It should be (and should always have been) based as a recognised NGO in a neutral country, not as a pseudo-non-profit in the US.
All of which has nothing to do with PRISM.
Snowden leaks of GCHQ methods HELPED STUPID TERRORISTS
The ones who aren't stupid, presumably the most effective ones, have surely known for years that Five Eyes were reading their traffic. If they didn't know it before Rumsfeld talked about "chatter in the system", they certainly knew it then. But I presume they already used strong cryptography long before.
Re: So ... UKUSA agreement cracking?
Nah. Canada, Australia and NZ have been part of it since 1942 or thereabouts, even though it wasn't actually signed until 1946. No cracks worth mentioning, I don't think.
www.nsa.gov sez "Due to the Government Shutdown, this site is not being updated." Maybe they aren't capturing any metadata then.
Re: Such a waste of time and paper.
Er, some people can hold two ideas in their head at once, like trying to reduce human impact on the climate *and* limit population growth. And there's a bit of a problem here, too: we know that family sizes get smaller as people get richer, so the people of Africa and Asia need to get richer and less polluting simultaneously. Put that in your pipe and don't smoke it.
Re: Boy, do I need to study business!!
The real confusion is calling Milo Minderbinder a "cook". What an insult - the man was a genius, and he was the mess officer, well placed to buy and sell eggs with other people's money.
Re: I did busniess with Huawei 10 years ago.
"I dont know who started the rumors ... ten years before any of the NSA spy stuff was confirmed."
ECHELON was already well known by then, and you can be sure that NSA and GCHQ were already busy suborning the Western vendors and carriers ten years ago; the Snowden revelations are pretty old news. So somebody suggested to somebody to suggest to somebody else that Huawei might be doing the same thing. Or that they should be, if they wanted to sell kit to the West.
Re: Watts is a traitor
Where did that come from? In any case, everything he is reported as saying makes complete sense.
Re: FCC: Stand your ground!
You say Verizon is trying to "monetize something which they don't own". That's not quite right. They're objecting to two rules - one that prevents them from arbitrarily blocking user access to content, and another that only allows them to perform traffic engineering for "reasonable" technical purposes. What they are trying to do is grab the right to have captive customers, which is a lot *worse* than simply opposing network neutrality by discriminating against some content.
"NSA and the UK's Government Communications Headquarters (GCHQ) have placed backdoors in popular encryption standards "
That is *not* what Bruce says. He says they have placed backdoors in *implementations* of the standards - in other words, they've got at the code.
That's why open source implementations of cryptography are the way to go; you can look for the backdoor yourself (assuming you have the right skills). What we have learned this week, which we really knew already, is that you can't trust an implementation of cryptography that's sold to you in a black box.
Re: Good (or not)
otoh they passed a security bill the other day that effectively makes the Prime Minister a one-man FISA court, so that they next time they want to spy on the likes of Kim Schmitz they can do so legally.
"(sadly) ,Nick Griffin was at Downing."
Of course. That's why the College coat of arms has a griffin segreant:
history of the Guardian
" history of the Guardian. It was formed and funded by "liberals" with the sole aim of..."
Huh? It was "formed" by the Manchester Guardian, founded in 1821, which had achieved national circulation (unlike *any* other paper from outside London), relocating to London and dropping the "Manchester". In 1821 it was indeed "liberalist" but that meant opposing government oppression such as the Peterloo Massacre. The founders were for democracy and free trade.
It was however the first British newspaper to print the word "fuck" after Kenneth Tynan used it on live TV.
Our country will be the very last
It's an odd assertion anyway, given the amount of IPv6 activity in the US.
Also, "over-engineering" is a pretty vague slur. At this point in history, IPv4 is horribly over-engineered (just look at how load balancing works, for example).
So, time to copy NZ?
Yet another reason why various countries are liable to copy the NZ legislation currently being rammed through Parliament with desperate techniques, to expose any application service provider perfectly legally to PRISM or Xkeyscore at the whim of the government.
Post anonymously? What's the point? They know anyway.
Very cool, but extra work for XKeyscore I'm afraid.
"Shame on the courts that allow them to get away with it."
Whaddya mean? The NZ courts have come out of this very well so far, zapping GCSB heavily over the Kim.com affair. That's exactly why the Key.govt is now zapping the law. I wouldn't be surprised to see a Human Rights Act case against the new law in due course, which would give the courts a second shot.
Also the story doesn't emphasise that if the bill passes it will be by one vote, and that vote comes from an MP widely regarded as a joke.
"Suggest you delete your post"
Because it's hot news that some versions of Java have security issues?
Really, this horse left the stable quite a while ago...
Re: Perhaps given the wording...
Given that there is no god, the second clause is also a given.
Re: The Civil Service at its best!
But once again, as with PRISM: what's the surprise? It was obvious from press stories months ago - maybe even here at Ye Vulture Central - that the centre was operated by Huawei itself. How come they're surprised?
I need an icon for head scratching.
Re: Not too much
Indeed. If you remember Clipper, key escrow, and all that, would you really expect them to be happy about putting strong asymmetric key cryptography into everybody's tablet and smartphone? Without that, confidentiality (aka privacy) is pretty much impossible.
Re: Only criminals have privacy
"It takes just a few minutes for criminals to setup encryption..."
I think you mean serious and organised groups. Amateur-hour crims and terrorists don't know or don't bother, so tend to get caught by surveillance states. The real concern has always been that the really dangerous ones will have unbreakable crypto, whatever the law says and whatever the sigint people do.
Not permissible and not appropriate
"Instead, the EWG recommends a paradigm shift whereby gTLD registration data is collected, validated and disclosed for permissible purposes only, with some data elements being accessible only to authenticated requestors that are then held accountable for appropriate use."
In other words, they want to allow people who register domains to be able to hide that fact from the public. I don't think that's appropriate and I don't think it should be permitted.
To say that again: who registered any domain name *must* be public information. Anything else will just help slimeballs and swindlers. (And providing such information to the public should just be part of the cost of doing business for the registries: quit moaning that whois costs money.)
It goes without saying the the IP address part of whois is equally vital.
Re: Express incredulity
I think we'd be talking about fibre taps leading off to very specialised passive bit snarfers, not NetFlow and the like. No science fiction there, and as another comment said, traffic sampling would help identify targets for more focussed snarfing where NetFlow might suffice.
Re: pretty pissed off
"the press are still pretty pissed off about their personal phone interceptions"
But are they surprised? I've assumed since about 1996 that my email has all been sucked up by some large machine somewhere; technology comes and goes, but the people who fought so hard against ready public access to cryptography had a reason for doing so back then, and what could it have been except a big electronic vacuum cleaner? Of course the same applied to phone records as soon as they went onto computers, decades ago.
Kudos to Mr Snowden, but, really, where's the surprise?
Good for them
Never thought I'd say it - good for the govt! The paranoid xenophobic nonsense about Huawei deserves to be ignored.
Re: Wrong direction
> Or just define a standard.
Exactly. Like it or not, there *will* be DRM for HTML5 content. Better an interoperable standard than random proprietary solutions. As long as it is an optional standard, of course.
The EFF should worry about applicability of DRM, not about its existence, which is a given.
How do you know that? Given that so many "Western" companies subcontract manufacturing to China (etc.), but pay for their R&D and ridiculous senior management salaries and bonuses at OECD rates, how do you know that Chinese companies aren't simply cheaper to run?