2059 posts • joined 9 Jun 2009
Re: Why I'd never use this...
You're one of the few people who actually looked at the legal context. I'm not surprised by the omission, though, most technical people tend to focus on technical problems and privacy is actually not a technical problem at all, that's just tweaking in the margin of the current global problem (the NSA is but one of the issues, and is actually distracting from the bigger context).
I'm happy they have put some good thinking into the tech aspect, because that widens the choices you have for SECURITY. But security is not the problem: broken law enforcement is.
In this context it's much better to have data under German law than under US law - if it wasn't for the fact that it isn't, as far as I can see. Even if Amazon stores in in a EU location, as it's a US company it can be compelled to supply that data, irrespective of that causing them to break the law in the nation the data is hosted (hence the copious disclaimers for their service in that respect). As I have mentioned before, from a perspective of wanting to protect personal data it's a really bad idea to touch any outfit with a US HQ as they are legally compromised.
So, good marks for coming up with more tech approaches to security, but more work to do on the business framework until this is viable. IMHO, of course.
Re: Am I missing the point or is somone else???
You're actually both correct and mistaken. Mistaken insofar that you assume that logic dictates routing, whereas BGP routing between autonomous systems is actually something that is frequently, umm, "adjusted" (I think there are some setups that collect evidence of that - I would welcome a pointer where this is accessible). I recall from quite a while back that we saw quite often traffic route via the US whereas the shortest and most efficient route would have indeed been direct.
Where you are right is that we should indeed not consider ANY network trustworthy, and use encryption by default (provided we find a way to trust endpoint certificates - as quite a lot of CAs are US based there is plenty of scope to issue certs for man-in-the-middle activities by whatever 3 letter agency feels the need). That way, it doesn't matter if you use a wet piece of string, an airport WiFi link (which is practically always intercepted) or a serious fibre to the desktop connection that takes seconds to deliver a whole DVD worth of data. Personally, the latter is the only way we can address the problems, but there are an awful lot of protocols that still default to cleartext. SMTP is one of them.
Re: I can understand the potential foreign trade implications...
if they want to trade in the EU then the US can change the law. Not that big of a deal.
Ah, but that is the sticking point: it IS a big deal - a HUGE deal, actually. The US laws that are the problem exist at federal level, and there are 2 main issues:
1 - those laws were created (or, to be more exact, existing laws were seriously weakened) for a reason. Plenty of authorities and companies base their existence on these laws, so they will not give up this seriously deficient framework to go back to a situation where they will actually have to submit to supervision and due process and provide transparency of what they do. Another factor that matters here is that there have been plenty of skeletons produced, to be discovered when this gets tidied up (as Snowden has already shown).
2 - even assuming issue (1) can be addressed, as the problem exists at federal level you can't quickly fix this problem. Changing federal level laws will take years of drafting and wrangling with stakeholders (and that's without taking the politics into account). The issue is that the revenue hit is taking place right now. Silicon Valley is already feeing the pain, and I expect a lot of privacy BS to be sent our way in the coming months. 2014 will probably become known as the year of privacy bullshit, because the depth of the hole the US has dug for itself here has finally become visible.
Anyone with even a remote clue about privacy would have seen the not-so-very-Safe Harbour agreement for the sham it was. Seriously? Self certification for something so critical to EU data protection rules? Also, just examing what sort of *cough* "fines" the FTC has been handing out to companies that were not compliant - it exposes Safe Harbour for the fudge it is. The only issue unsafe Harbour addressed was preventing a trade war - it has absolutely ZERO to do with the protection of privacy of EU citizens. That this particular chicken has now come home to roost is IMHO A Very Good Thing That Was Long Overdue.
Don't get me wrong: I fully expect the EU with be blackmailed into accepting a new Unsafe Harbour agreement for pretty much the same arguments as before. Let the EU corporate buyer beware - if client data gets exposed through an US connection, your own business ends up holding the can.
IMHO, the US has become a no-go zone for those who need to protect clients or intellectual property, unsafe Harbour or not.
Re: Anyone for Real TitanICQ Poker?
IMHO the issue is very easy to summarise: either the US returns to a point where US service providers can only be forced to provide data through a legal path that requires probable cause, due process, avoids dragnet surveillance and is sufficiently transparent and accountable to re-introduce any trust in the US as a trade partner that can actually be trusted, or the US loses this business.
I predicted in January we'd face strong arm tactics, because US law makes it effectively impossible for US companies to credibly claim they can protect personal data up to EU standards. It's not that they don't want to, but they simply can't - federal laws leave US companies without any ability to protect themselves against official, yet unwarranted demands for access. This means that the whole of Silicon Valley is unable to supply services to EU companies that have a need to stay compliant with Data Protection laws, and that is absolutely correct - that's what they signed up for in 1948 with this whole Human Rights thing. It's not enough to pretend - it has to be done properly, and provably correct.
If the US wants to continue playing in that sphere it has to fix its laws instead of trying the usual lobbying, bribing and bullying with trade embargoes. Because trade embargoes don't fix the actual issue, and won't force EU companies to buy US services. If anything, it creates the impression that the US has definitely something to hide, and has no intention to address the problem.
In which case they *deserve* to lose EU business in the EU.
Re: well personally
Are you waiting for another offering that absolutely, totally promises not to cooperate with these organisations?
If they're US based that would be a lie, or a very short-lived organisation. Planning upfront for defy a legal notice is not exactly a sustainable business model :)
Re: Nice try
In order to defeat the Trojan that the NSA has installed on your PC, they'll need to encrypt the data before it gets to your keyboard. And then the NSA will initiate a covert program to have us all chipped.
Err, no, the "duh" here is that MIT has become yet another set of propellor heads that fixed what didn't need fixing. The security of Lavabit and Silent Circle was OK too. They didn't close shop because there was a technical problem, they closed because they discovered themselves legally defenceless against lawful demands for data - which they had to provide unencrypted.
It really doesn't seem to sink in that the current issues with security are not technical at all (or maybe there is such a large amount of technical noise to camouflage the real issue): whatever brand of crypto safe you use is entirely irrelevant if you can be legally forced to open up the damn thing for any official who feels like having a peek.
This has actually been a massive problem for a few years for US providers, but it's only now becoming very clear after the EU decided not to yet again bow to lobbying and blackmail (IMHO, the US political position was dramatically weakened by the Snowden revelations). Technology is not the problem - US law is. And as we are dealing with federal law it will take YEARS to fix, if ever.
.. I prefer Serengeti :p
.. I can run Tetris on our own office building. Yes, please :)
Re: They're not paying you $100
they panic and realise that the low opinion of it has become so deeply entrenched that the risk becomes apparent that this may break the chain of Windows (and therefore Office) license revenues that has kept the moolah rolling in for so many years now.
Actually, they are panicking already. The Swiss office of data protection told them to clean up their act of face problems with selling Office 365 in Switzerland. In something that is IMHO totally unprecedented for especially a *LARGE* US company, Microsoft agreed to not only make their contracts subject to Swiss law, but also give clients a choice as to where to host their data. (translated link, original article is German).
A logic tester? Luxury!
Ah, the delight of the Yorkshire men sketch.. :)
I switched to using the CMOS 4011 as soon as I could. You could do a lot more with a single battery that way :). Heck, I even used it in SMD form, a good thing I had a Weller soldering iron because they demanded a bit more quality from my then meagre soldering talents :)
Maybe it was the abject failure of the PCjr keyboard that inspired IBM to create one of the best keyboards ever later? I know people that have clung on for dear life to their IBM PC clackety-clack keyboard and still seek out its modern equivalent when buying systems because of its tactile feedback (or its weight - these things had serious substance). However, in a modern office, the audible component is somewhat less appreciated, but there are less noisy equivalents now.
Personally I was more partial to the keys that used a tiny magnet attached to the keys, closing a reed switch. The depth of such keyboards meant they had to be built in, but I rather liked the feel of them.
Now THIS is where OBEs belong
Personally, I would not just congratulate the boy, but also the headmaster who was willing to give a kid the chance to do this. I know plenty who would have said "no" on the basis of perceived risk, but he did two things right:
1 - he trusted the kid (no doubt he did his own checking, but I like the fact that he expressed this trust in the press too)
2 - he helped with the project.
Could we please give one less OBE to someone for their ability to extract money from the population, and hand it to this guy? This is what teaching should be about.
Re: "Arrested and charged the man"
Why did they not arrest and charge both?
That wouldn't fly :p
Re: Ah the mightly psion
OLP => OPL (Organiser Programming Language)
Re: Psion 3
You could also put your phone over the speaker and dial a number from the phone book using DTMF - which seemed quite cool at the time.
Upvote - I'd forgotten about that. It had one tiny downside, though - the bottom was seriously incompatible with credit cards as the speaker magnet was strong enough to mess up the magnetic strip :)
Is it just me ..
.. or did we skip over the entire Palm ecosystem?
Palm pilots had their own fanclub :). I personally was more in the Psion camp because especially on the Organisers and Series 3 you could just write your own software, on the device, and with a bit of trickery all your data was available to mess around with. Then the programming language "grew up" (i.e. became unavailable for the average end user who just wanted to do something with their data).
The Psion Organiser II was good training for your memory because you'd have to hold most of the code in your head (a 2x16 or later 4x20 screen is a tad small :), but you could code anywhere, any time. I'd love a language like OPL for Android and iOS, because it would enable a lot of people to enjoy the fun of quickly hacking something together instead of having to learn high grade programming from scratch.
Having said all that, I liked Palm. I had a few..
Re: Great headline!
Yup - I know that addiction well. It even gets worse if you're into electronics as well :)
My best buy ever there was a remote control which elegantly solved the problem of losing it under the cushions on the sofa by being laughably large. I don't think I've bought anything of true *practical* value since :)
I suspect it's too much to ask for, but wouldn't there be a way to establish a common format at federal level, and make agencies responsible for their own translation interface? Or is the data so diverse that this becomes too unwieldy?
Starting from one standard seems to make more sense, because at that point you have a definition you can work with. If you want to wrangle the date into your own convoluted mess you are welcome to blow your own budget on it.
Just musing, it's probably too sensible to work in a political environment :)
Re: @AC - Not actually a new idea
set the camera on a 5 second time delay and get your pole out
Respect. In only 5 secs AND making a picture of it? Them are skillz :p
Re: Hmm. You never......
"This isnt even remotely causing MS to panic"
You are starting to sound like a set of "Monty Python" sketches - "The Spanish Inquisition" or "The Black Knight" maybe
Definitely the Black "it's merely a flesh wound" Knight :)
Not zealots - hard core business realists
I rather object to the repeated use of the word "zealots" in the article, which seems to suggest the author has a bias.
IMHO, choosing proper open formats has got ZERO to do with religion or beliefs, but everything with realistic value assessment.
At the simplest level, it's a single source monopoly versus a diversified market - which option has the best impact on costs? At a political level, there is the question if handing off money to a foreign entity instead of fostering local spend is not worth reconsidering. At a standards level, do you really trust a standard which is not even that well controlled by the people who WROTE it, or do you use one which has been a well evaluated standard at EU level, one that was arrived at through proper consensus (instead of bribing the voting system) and which incorporates the needs of all, not just a prescribed set of features dreamt up by an entity that's not even paying tax here?
And finally, the ILoveYou virus already showed the danger of a monoculture, and there is really only one standard that works reliably and renders relatively true on ALL platforms instead of the selected few. Hint: it's NOT OOXML. Heck, I can't think of anything LESS deserving the moniker "Open" - it's a travesty.
Re: Mental exercise
Couldn't you just get Macs and spend more time with friends, family and loved ones?
It's a home situation, and given the budget sensitivity I suspect there is no appreciation of long term costs (which is where Macs have real advantages). In addition, it means learning a new platform which is not everyone's cup of tea - many are scared of the new, and I must admit I wouldn't have switched either if I hadn't bought a Mac for research (it wasn't originally my intention to switch, but it took less than a month to realise OSX was -for my needs- the perfect platform).
In addition, it's not just desk/laptops they're trying to secure. In my opinion, he's actually identified an unaddressed market, it IS difficult.
Back to theme: I also recommend looking at Prey. I like how it works, even though they have to sometimes fight the OS to make it happen.
FLASH! Uh ooooh...
It's not going to take long before some bright spark works out that tapping the data feed from all those ads is an excellent way to increase CCTV coverage :(
Re: SciFi Now
The manufacturers of the kit protested that they used the same safeguards as the Pentagon
As long as they're not the same safeguards as the NSA.. :p
Is Belkin in anyway liable for consequential loss?
I suspect there will be the usual barrage of 6 point size light grey-on-white disclaimers on the paperwork that comes with the kit. Only the market can act as a correcting force: if enough people care, it will no longer sell.
Re: Two words
Except that "Free" is an serious piece of misdirection that should not be allowed under advertising rules. If it was truly free you would not have to pay for it with personal data.
Let me quote you an example, directly from The Cloud:
"Your use of the Services is reliant on you providing us with authorisation for the use of your information as set out in this notice. If you withdraw your authorisation, from us at any time, we will remove access to the Service until you refresh your consent.
You can choose not to receive marketing information and the Services from the Cloud by writing to Data Protection Compliance Officer, Third Floor, Victoria Square, St Albans, AL1 3TF.
You can also choose not to receive marketing information and the Services via the 'unsubscribe' link in marketing communications we send you.
Any choices you make will be held separately from any marketing preferences you may have given to Sky and any of its Affiliates.
Well spotted if you missed something in there: you may be able to opt out of some marketing, but not from all of it. To me, this makes all the statements about it being "free" quite simply lies.
Your personal data has value, so be careful with it using it as a currency to pay for "free" services. If the data leaks, you will pay forever because you cannot change who you are.
Re: Of course your phone app is secure
I wouldn't trust my Bank to code its way out of a paper bag
Ah, the benefit of age - I recall a very good Usenet quote about this:
I work for an investment bank. I have dealt with code written by stock
exchanges. I have seen how the computer systems that store your money
are run. If I ever make a fortune, I will store it in gold bullion
under my bed.
-- Matthew Crosby
Amen to that :)
I cant see much of a problem with this sort of thing.
Until a couple of them collide, come out of the sky and spent the last bit of their kinetic energy making a nice dent in a roof or, worse, in a person (this won't just be used on the road). Or when the first people get convicted for invasion of privacy without the defence and lawyer budget of being police or a journalist. Or when Johnny End User forgets that batteries have a limited lifetime, or when the OS crashes and it bricks in mid air. Or ..
I can see *loads* of trouble ahead, but also a new market in drone jammers :).
Re: always amazes me
Its a bit like the USB charging ports in Heathrow Terminal 5, now thats an attack vector that just keeps on giving to the security services.
Ah, you mean the Sony charging towers - they're everywhere now. IMHO a VERY clever information acquisition ruse - I must rig up a phone one day to detect the connections it experiences whilst hooked up.
Re: pip pip pip pip...
when the pips sound, you have to put more money in
Or bluebox it? Been a while, sorry :)
Re: The Lawyer from Lima
Did you also spot that this good man was already talking about untrustworthy code in those days?
To guarantee national security or the security of the State, it is indispensable to be able to rely on systems without elements which allow control from a distance or the undesired transmission of information to third parties. Systems with source code freely accessible to the public are required to allow their inspection by the State itself, by the citizens, and by a large number of independent experts throughout the world. Our proposal brings further security, since the knowledge of the source code will eliminate the growing number of programs with *spy code*.
A very stylish, elegant and pretty lethal put-down.
And this is news?
Using deception is not exactly news. Even before Fred Cohen developed his Deception Toolkit we were feeding wannabees whose sole reason for being on IRC was "wanting to learn how to hack" (translated: please let someone else do the learning) some tools to aim at 127.0.0.1. Nothing beats practical experience :).
BTW, all.net has got plenty papers on using deception - worth a read.
Re: Oh boy.
You don't need a degree in "Quantum physics" to understand it.
I don't think any one really understands it.
Ah, but this poses a rather interesting problem if this is to be used in "secure" communication, and it is one we already have with existing crypto: who can tell that it is secure or not, and is not fitted with a clever backdoor?
Who can we trust to (a) understand what is going on (personally, 13.5 states of undead for a cat give me a headache just to think about, but may make for novel zombie movie plots) and (b) be able to explain this in a way that others can verify and confirm?
Re: Cawing of the Vultures heard by more IT pros than ever before
First off, hat off yet again to El Reg.
As for commentards, I sensed more a dip in S/N ratio. Now that some of the N has gone, S has improved so cheers all around!
Ah, methinks I've found another Dave Barry fan :)
Re: Not sure if I trust this....
Do something simple: look up the MX record (mail exchange) so you know which server handles their email, then run a geo location on it.
; <<>> DiG 9.8.3-P1 <<>> blackphone.ch mx
;; ANSWER SECTION:
blackphone.ch. 600 IN MX 10 mail.blackphone.ch.
As with Silent Circle, you'll end up in the US. Game over. If a company cannot be bothered to take care of its client's privacy in EVERY detail, I'm not interested, and I predicted the manner of closing of Silent Circle before they even went live: US law.
It may be good technology they're developing, but as long as there is even a whiff of US involvement around this it's worth avoiding. All you'll do is mark yourself as a target.
Partially yes but mainly because for the first 100 -150 years of the US they completely ignored foreign patents and copyrights
.. which is a point that Cory Doctorow has made repeatedly, making the vast patent and copyright industry that exists now (and their whinging at China for principally doing the same) and all the associated chicanery in law and international politics just a tad hypocritical IMHO.
BTW, I second the general upvote of the article - it was interesting, informative and insightful.
Meh - you'll have to get them to fly first..
Re: Definition required
The internet does not force you to do anything that you don't want to do. If you want privacy; don't do anything in public. The internet is after all very much a public affair..
It's not that easy. Most adults without a tech background have no idea just how much data they hand over when using online resources, and the sole aim of the likes of FB and derivatives appears to be to goad our kids into an online life before they are old enough to realise the damage that can cause to their lives.
We have to be a bit more intelligent here. What was subverted (random generator) was already flagged as a bad apple a couple of years back, and discarded for serious use. What we learned now is that that lack of quality was no accident which creates integrity questions for the company in question, but it does validate the idea of publicly exposed crypto that needs nothing but follow Kerckhoff's principle.
In this context hides a bit of irony: AES256 itself is pretty much OK, possible because it wasn't actually "A" to start with, but Belgian (it was originally called Rijndaal). :)
instead of shovelling coal on the flames
Good heavens, Trevor, are you ill? :) :)
Happy holidays everyone. I hope you all have a great time.
Same here. Ho ho ho :)