232 posts • joined 11 Jan 2008
Blame the programming language, not the programmer
" Essentially, he forgot to check the size of a received message"
No. The world took a wrong turn many years ago (in the early 1980s) and ignored the known fact that languages without strong typing, rigorously enforced at compile time, are dangerous. In particular they're subject to array overrun bugs. In the mistaken name of efficiency, we've been using sloppy languages ever since. It's perfectly possible to get efficient code out of a strongly-typed language where this class of bug is simply impossible; it's just more difficult to get your code through the compiler, because it won't let you do potentially dangerous things. This isn't a wakeup call for individual coders: it's a wakeup call for the whole industry to look again at the basics of systems programming languages.
Re: Nuno trancoso
If the EU governments don't already have end to end encryption for intra- and inter-governmental communications, that's a massive fail. Ditto European companies. They have been aware since 1985 or thereabouts that networks can be tapped by bad actors. (Actually, make that 1974 for those that read The Ultra Secret, or 1945 for a lucky few.)
As others have pointed out, a geographically bound network is immaterial for general purpose traffic that either crosses the ocean anyway, or is subject to local surveillance anyway. Encryption is the only answer, and does not need a separate network.
Re: I have to say
Shorely The Internet is already on the pedal stool.
Not to contradict Vint, but...
I don't doubt a word Vint says, but re: "practical reality had to wait until Ron Rivest, Adi Shamir and Leonard Adleman published the RSA algorithm in 1977."
That ignores the fact that real practical reality had to wait until the RSA patent expired in September 2000. It was pretty much impossible to deploy public key crypto on an unlimited scale until then.
(Also, BTW, the actual *existence* of the NSA was surely top secret until about 1975, and little known until The Puzzle Palace was published in 1982?)
Re: Net neutrality nonsense
> So spam filtering is against the law then ?
That would be a perfectly reasonable reading of the text. I don't understand the downvotes - they imply that people enjoy it when their Skype call breaks up because one of their neighbours is downloading something big. The text simply doesn't match technical reality. You *should* discriminate in a way that favours timely delivery of audio packets, for example; you *shouldn't* discriminate in favour of some audio services as compared to others. The language needs to be more subtle.
Net neutrality nonsense
Hmm. Let's look at the net neutrality amendment from
'The principle of "net neutrality" means that traffic should be treated equally, without discrimination, restriction or interference, independent of the sender, receiver, type, content, device, service or application. ... Furthermore, traffic management measures should not discriminate between competing services and applications.'
This is absurd. If interpreted literally, as lawyers tend to do with laws, it means that a greedy video or audio stream and a non-urgent email transfer (for example) will be treated exactly the same. Would you like your phone call to pause while the next web page loads? That's what the MEPs just voted for. Technical ignorance is not bliss.
ICANN is mostly a success
"There are a few bright spots like DNSSEC and IDN, but they are few and far between."
What on earth is he talking about? ICANN has mainly done what it's supposed to do: hosted the Internet Assigned Numbers Authority, which has worked perfectly there since 1998; managed the process of adding Top Level Domains to the DNS - some (including me) disagree with some of the decisions, but nobody can deny that ICANN has managed the process; overseen the DNS root; and indeed assisted the start of deployment of DNSSEC and IDNA.
ICANN has multiple stakeholder bodies to which it's accountable, including the ICANN Board itself. Yes, there's an element of greed in the gTLD game, which I deprecate too, but that can be blamed on capitalism more than on ICANN. And if anybody has sat back and let that rip, it's the US Dept of Commerce, so the sooner they step down, the better. A few procedural changes are needed for that to happen; but there is no scenario in which any other government obtains control.
According to https://datatracker.ietf.org/ipr/search/, none so far. But the lawyers might still be chewing on that.
BTW, it doesn't look like an SDN protocol to me. It's more of a YANMP (yet another network management protocol) and I don't think the IETF is quite ready for that while still digesting NETCONF and RESTCONF.
Why (not) IBM
> Why does IBM think(lie) that it was able to evoid the NSA whereas MS, Google & Apple couldn't?
Because, having got rid of the IBM Global Network many years ago and with all their PC operations moved to LeNovo, IBM doesn't actually have clients among the general public any more. So their client databases are completely different in nature from those of MS, Google, FB, etc. and probably less interesting, except for industrial espionage. Please don't down-vote me just for saying this, but IBM might even be telling the truth - because their data is boring.
Paris, because I expect Hilton is still an IBM client.
Re: Protectionsim and hypocrisy
Maybe it depends on the site. At the one I'm thinking of they glue up your USB slots (literally). Maybe not so much at a sales and support site?
otoh I remember once being left alone at DEC in a meeting room that had their departmental product development plan for several years ahead posted on the wall. It was at least 15 minutes before someone noticed and yanked me out of there.
Protectionsim and hypocrisy
It's clearer with each new revelation about the USG machinations against Huawei that all this has little to do with security (since, obviously, US vendors are even more exposed to NSA backdoors than Huawei can possibly be) and everything to do with protecting the US market in favour of US suppliers. It isn't irony as much as it's hypocrisy.
Huawei, not coincidentally, has much stricter rules governing laptops entering and leaving their sites than any US vendor I've visited. It would be interesting to learn how the alleged backdoor code was actually inserted.
coming out fighting
> either shut up or say that he is "confident of being cleared"
Why? That's how people react who are slavishly obeying a defence lawyer's advice. Lynch is coming out fighting. That proves nothing about the facts of the case; it does suggest that he's not too afraid of the truth.
s/Autonomy/Whatsapp/ and see how the real value of the acquisitions compare. This is a business full of BS valuations - apparently HP wasn't aware of this until recently.
Re: What if ICANN goes renegade?
That's what the multistakeholder buzzlanguage is about - checks and balances on ICANN. Actually that's how it works today; NTIA has had almost no influence via its contract. The end of the contract is a Good Thing, especially given the widespread distrust of the US Government in recent months.
A little escape hole here...
Have a careful look at the text of the actual Presidential Directive: "In particular, when the United States collects nonpublicly available signals intelligence in bulk, it shall use that data only for the purposes of detecting and countering: [various specific threats] "
Two comments on that word "nonpublicly":
1. That's a word?
2. This text means that the restriction to the specific threats listed doesn't apply to publicly available bulk sigint (such as scraping Facebook pages).
Re: Seems reasonable to me
And yes, I will upvote this because indeed the issue is one of fair trading and consumer protection. Trying to use the common-carrier argument always struck me as strange.
Big fan of http://tools.ietf.org/html/rfc4084
Re: Conflicts of Interest
As usual, you don't understand the IETF, and in particular you don't understand that the IRTF is not a standards body.
Of course, all standards bodies consist of people with opinions, some of whom work for organisations with opinions. Of course, people communicate outside the official sessions and of course, rough drafts of documents exist before more polished drafts are made public. Of course,people try to influence the work in accordance with their opinions. How could it possibly be otherwise?
But I suspect we agree that making conflicts of interest as visible as possible is a Good Thing.
Storm in a RESEARCH teacup
And in case nobody else has pointed it out, he isn't co-chair of a "standards group". He's co-chair of a research forum - admittedly one that offers advice to various standards working groups in need of a crypto algorithm. And he's co-chair because having more than one chair lowers the risk of biased chairing.
Me, I think it's better to know that the NSA is interested in cryptography; but I didn't need Mr Snowden to tell me that.
Bulging in advance
"... cause the ground above to rise "hundreds of metres" in advance of the eruption"
Right. So you see this big bulge which says that there'll be a supervolcano there in 1000 years or so. What next? (I mean seriously, not unreasonable dreams like living on Mars.) I think there might be a bit of social breakdown.
Re: He refused to allow the NSA snooping rights.
For sure, if Mega was outside the scope of both National Security Letters and DMCA takedown notices, it would piss off both the spooks and the Mickey Mouse industry. But in that case, how can Mega also be inside the scope of US jurisdiction when it comes to this vengeful extradition attempt?
And note the tendentious language they use. By repeating the words "criminal" and "conspiracy" often enough, they hope they reader will believe they are true, rather then simply being allegations, which Mr Dotcom denies.
Also note how legal fictions can change to suit whatever you're trying to prove. Sometimes a URL that points to an infringing copy is itself an infringement. This time, deleting such a URL doesn't count as deleting an infringement.
Let's hope the Kiwi courts keep their eyes on the ball.
Switzerland and Crypto AG [Re: This just undescores...]
I think you need to look into Crypto AG a bit before being too bullish about Switzerland.
What ECMA does for a living
C# is ECMA-334. ECMAscript is ECMA-262; ECMA also backed the .docx junk as ECMA-376 before MS conned ISO into adopting it. JSON is ECMA-404. This is what ECMA does to survive; they don't like people to remember that their name stood for European Computer Manufacturers Association.
So, if you're shopping around for a standards organization to rubber stamp your favourite proprietary format, ECMA's the one for you.
Annoying when people like that are *right*, isn't it?
I found Bruce stimulating when I met him.
.cs? That was a problem in about 1985, when we had to handle some email addresses in JANET name order (firstname.lastname@example.org) and some in DNS name order (email@example.com).
But indeed ICANN is right - this stupid money-grab will lead to epic fails.
"Only the adult account holder will be able to change the filter settings."
So they have technology that can detect age from keystrokes do they? Given how many Aged Parents don't understand technology and leave passwords and crap to the kids, I really do wonder how it will work.
Worse: *anybody* can do that. The best trick is probably to generate a binary of an open source browser that happens to include some home-made CA certificates, post that binary on a juicy-looking free download site, sit back and wait. Also, at best, TLS only authenticates one end, even if the certificate is valid. The trust model for TLS is so broken that bad actors don't even need to worry about breaking the crypto.
Re: Beep beep
And today, I find msyelf agreeing with Don Jefe, unlike a few days ago on another matter. Impose Hollywood's and Big Pharma's view of IPR protection so we can sell more kiwi fruit, dead sheep and milk powder? There's a real risk the NZ government will take that deal. Beuh.
Re: Actual facts about the IETF
@Don Jefe: I call BS. What on earth makes you think that government pressure has substantial effects on the IETF? Please give chapter and verse. Of course engineers from vendors and operators participate in the IETF, which is why IETF standards actually relate to the real world. Again: educate yourself.
I do know exactly who steers the IETF. I mean I know them personally. I assure you that the quickest way to get shouted down in the IETF is to say "My company thinks...". And nobody is stupid enough to say "My government thinks..." because it would be greeted by raucous laughter.
Actual facts about the IETF
I think Mr Jefe should actually watch the video of the session at http://www.ietf.org/live/ or https://www.youtube.com/watch?v=oV71hhEpQ20. You can skip the first 22 minutes of routine reports.
And even read a few words about how the IETF actually works, for example starting at http://www.ietf.org/newcomers.html
Re: More to the point, let's fix the code
Yes, people in the IETF are *very* aware of the risk of crypto algorithms and implementations that have been suborned, but that is only one issue among many, and *all* the issues need to be dealt with. What we now know with great clarity is that if any attack on privacy is possible, it will be exploited, so every single one of them needs to be fixed. The risk of backdoors being exploited by bad actors was pointed out years ago:
" What this boils down to is that if effective tools for wiretapping exist, it is likely that they will be used as designed, for purposes legal in their jurisdiction, and also in ways they were not intended for, in ways that are not legal in that jurisdiction." (RFC2804, May 2000)
More to the point, let's fix the code
Signals intelligence agencies have been breaking codes for a hundred years now, and they aren't going to stop because TimBL says so. So the constructive approach is to fix the problem, by making the Internet surveillance-resistant. The IETF decided to do that for the protocols it specifies just yesterday, in Vancouver. What's the W3C doing to help?
Re: They have
> So who is right and who is wrong?
Apparently the Australians (and the Canadians) are more obedient to instructions from Washington than the Brits or the Kiwis. I don't think there's any sense in asking who's right, since the whole thing is founded on xenophobia anyway, and on fear of a rising economy while the West declines.
Why expect rationality?
Since this is all about paranoia, stereotyping, xenophobia, and political posturing, why would you expect any rational reason to be needed for anything?
Rationally, you are far safer from backdoors with Chinese kit, because their industry doesn't have the fifty years or so experience with modern signals intelligence that UKUSA companies have. PRISM didn't just happen by accident, did it?
Re: After all the sabre rattling....
Strangely enough, the revelation that routers from the main US vendors have been subverted makes the paranoia about Huawei more understandable: people who knew what was going on with Cisco and Juniper boxes (but weren't allowed to talk about it) would have good reason to suspect Huawei boxes, but couldn't say why, so they used rumour and innuendo.
You're right though - the Snowden revelations have levelled the playing field, and about time too.
Re: Europe should create its own Internet
We tried that. Didn't work out too well.
Re: Can you see where this is going?
"global body comprised of governments"? Who ever suggested that; even the ITU can't be described accurately as that. The suggestion always has been a multi-stakeholder body without governments having a deciding role - which to be fair to ICANN and the US Govt, is to a large extent what we have today. It just needs to be moved out of US jurisdiction, into a jurisdiction that properly recognises the status of non-governmental organisations.
I can't imagine, though, why anyone would think for a moment that divorcing ICANN and the US would break the 'net or stop the spooks, so I find the whole story very puzzling.
Re: Equal footing with Uncle Sam
That isn't quite the point. Nobody is naive enough to believe that smaller countries (economically speaking) can have as much influence as larger countries. The issue is that ICANN shouldn't function under the law and jurisdiction of any one country, because it shepherds resources for the whole world. It shouldn't function under the UN (i.e. ITU in this context) either, on the basis of past experience. It should be (and should always have been) based as a recognised NGO in a neutral country, not as a pseudo-non-profit in the US.
All of which has nothing to do with PRISM.
Snowden leaks of GCHQ methods HELPED STUPID TERRORISTS
The ones who aren't stupid, presumably the most effective ones, have surely known for years that Five Eyes were reading their traffic. If they didn't know it before Rumsfeld talked about "chatter in the system", they certainly knew it then. But I presume they already used strong cryptography long before.
Re: So ... UKUSA agreement cracking?
Nah. Canada, Australia and NZ have been part of it since 1942 or thereabouts, even though it wasn't actually signed until 1946. No cracks worth mentioning, I don't think.
www.nsa.gov sez "Due to the Government Shutdown, this site is not being updated." Maybe they aren't capturing any metadata then.
Re: Such a waste of time and paper.
Er, some people can hold two ideas in their head at once, like trying to reduce human impact on the climate *and* limit population growth. And there's a bit of a problem here, too: we know that family sizes get smaller as people get richer, so the people of Africa and Asia need to get richer and less polluting simultaneously. Put that in your pipe and don't smoke it.
Re: Boy, do I need to study business!!
The real confusion is calling Milo Minderbinder a "cook". What an insult - the man was a genius, and he was the mess officer, well placed to buy and sell eggs with other people's money.
Re: I did busniess with Huawei 10 years ago.
"I dont know who started the rumors ... ten years before any of the NSA spy stuff was confirmed."
ECHELON was already well known by then, and you can be sure that NSA and GCHQ were already busy suborning the Western vendors and carriers ten years ago; the Snowden revelations are pretty old news. So somebody suggested to somebody to suggest to somebody else that Huawei might be doing the same thing. Or that they should be, if they wanted to sell kit to the West.
Re: Watts is a traitor
Where did that come from? In any case, everything he is reported as saying makes complete sense.
Re: FCC: Stand your ground!
You say Verizon is trying to "monetize something which they don't own". That's not quite right. They're objecting to two rules - one that prevents them from arbitrarily blocking user access to content, and another that only allows them to perform traffic engineering for "reasonable" technical purposes. What they are trying to do is grab the right to have captive customers, which is a lot *worse* than simply opposing network neutrality by discriminating against some content.
"NSA and the UK's Government Communications Headquarters (GCHQ) have placed backdoors in popular encryption standards "
That is *not* what Bruce says. He says they have placed backdoors in *implementations* of the standards - in other words, they've got at the code.
That's why open source implementations of cryptography are the way to go; you can look for the backdoor yourself (assuming you have the right skills). What we have learned this week, which we really knew already, is that you can't trust an implementation of cryptography that's sold to you in a black box.
Re: Good (or not)
otoh they passed a security bill the other day that effectively makes the Prime Minister a one-man FISA court, so that they next time they want to spy on the likes of Kim Schmitz they can do so legally.
"(sadly) ,Nick Griffin was at Downing."
Of course. That's why the College coat of arms has a griffin segreant:
history of the Guardian
" history of the Guardian. It was formed and funded by "liberals" with the sole aim of..."
Huh? It was "formed" by the Manchester Guardian, founded in 1821, which had achieved national circulation (unlike *any* other paper from outside London), relocating to London and dropping the "Manchester". In 1821 it was indeed "liberalist" but that meant opposing government oppression such as the Peterloo Massacre. The founders were for democracy and free trade.
It was however the first British newspaper to print the word "fuck" after Kenneth Tynan used it on live TV.
Our country will be the very last
It's an odd assertion anyway, given the amount of IPv6 activity in the US.
Also, "over-engineering" is a pretty vague slur. At this point in history, IPv4 is horribly over-engineered (just look at how load balancing works, for example).
- Opportunity selfie: Martian winds have given the spunky ol' rover a spring cleaning
- Spanish village called 'Kill the Jews' mulls rebranding exercise
- NASA finds first Earth-sized planet in a habitable zone around star
- New Facebook phone app allows you to stalk your mates
- Battle of the Linux clouds! Linode DOUBLES RAM to take on Digital Ocean