* Posts by Charles 9

8236 posts • joined 10 Jun 2009

UK's new Snoopers' Charter just passed an encryption backdoor law by the backdoor

Charles 9
Silver badge

Re: "Over 100 million people" ?

Sorry. Was thinking Germany. Still, abandoning an entire country and its numerous people usually isn't a move to be taken lightly since that's denying potential customers. Why do you think so few people are so eager to abandon China (with its 1-billion-plus top-of-the-world population) in spite of its shameless human rights abuse?

To paraphrase, money talks, all else walks.

0
0
Charles 9
Silver badge

Re: It's simple

"Right. Two things -- (1) if they do that, they're banning internet commerce and online banking, so I can't really see it happening, can you? and (2) if they ever DO try to do it, that's when I'll start giving a toss. Right now, they're not."

They could and consider it a GOOD thing. Most e-commerce will be international in nature, and domestic people can always go back to bricks & mortar. More secure and keeps the money home. Win-win.

"Which, obviously, they will never ever do, because that would be impossible as well as utterly insane. How do you propose they'd order the OpenVPN or OpenSSL or OpenSSH developers to add backdoors for the UK government?"

They wouldn't. They'll just block all offshore encrypted connections by law. That should limit things to steganography which could be sniffed at automatically (to look for odd color patterns, spacings, etc.) and then further checked by the humans since they won't have to check the points of entry so much.

0
0
Charles 9
Silver badge

Re: What is the point in this complete waste of resources

And if England BLOCKs all such foreign points? Changing VPNs (especially OpenVPN ones) is nontrivial because you need new config files, usually.

0
2
Charles 9
Silver badge

Re: VPN?

And what if England just blocks the IPs?

0
2
Charles 9
Silver badge

Re: Provided by?

"I already have a VPN to a trusted overseas supplier (my mother-in-law) using only open source software which can't have been backdoored by HMG."

Oh? You ever thought they CAN backdoor or crack it but simply haven't told anyone?

2
0
Charles 9
Silver badge

Re: In other news...

"Non-UK based VPNs include the ones that every company that has a branch office UK uses to talk back to head office. And when said companies include, eg, Goldman Sachs, do you really think the UK government is going to ban them?"

Yes, because you still have the requirement of having a local presence in order to bank in the UK, and I've never heard of a business willingly completely abandon over 100 million people and loads of money just to dodge a law (which is what your suggestion would require). Doing the same in the US would be even harder because it has more people and more money.

1
0
Charles 9
Silver badge

Re: Dad

"1. Got a VPN privacy service with servers located beyond the grasping clutches of the NSA/GCHQ."

The government will then block those VPNs so the ONLY ones you can access are domestic and open to spying. Since OpenVPN requires specific credentials like IPs in their configurations, these credentials can be read and blocked.

"2. Used local asynchronous encryption on everything sync'd to Cloud storage, protecting everything in the Cloud whether or not the respective service actually supports encryption.

3. Used whole disk encryption on everything else, including the system partition and backups."

See xkcd and the monkey wrench, unless you're wimpy or masochistic.

"4. Stopped using email entirely, and switched to Bitmessage, pseudonymous social networking via VPN, and darknets."

Serverless systems like Bitmessage, freenet, and so on are murder on data allowances. Plus what if the people you want (or NEED) to talk to don't use that stuff or have such tight data allowances it's not an option?

"Although frankly, the way things are going, I think I'm just delaying the inevitable. Under the circumstances probably the only realistic, long-term measure you can take to defend your civil liberties ... is to get a passport."

Which is less useful a prospect when more and more countries fall victim to the data grab. What'll you do when EVERY country starts doing it (including the EU when they abandon their privacy directives as ink on a page)?

2
2
Charles 9
Silver badge

Re: Don't worry: it won't affect the bad guys

Look, they won't care unless it's deliberate crimes commited by humans on humans, so accidents and animal attacks won't count. Plus there's always the specter of threats to sovereign security, which are by definition existential in nature.

0
0
Charles 9
Silver badge

Re: GYO

But also hard to CONCEAL. That's always been the weakness of the One-Time Pad: you have to protect the pad. PLUS it's symmetric, so two parties possessing the same chunks of data are immediately both linked AND suspect.

1
1
Charles 9
Silver badge

Re: This boils down to a single thing...

Actually, there is a good reason. The Police State by definition IS a total ruling order. Anarchy is the LACK of a ruling order: every one for oneself. Mutually exclusive, in other words. And all human society eventually becomes one or the other, simply shifting between the two ends as time passes. To use a poker analogy, either someone wins all the chips or someone flips the table.

0
1
Charles 9
Silver badge

Re: Government, meet Mathematics

Unless they just ban all encryption (and they won't care about e-commerce anymore because it'll likely be international in nature anyway--keep the money home). Want to shop or bank? Go back to the bricks & mortar like the old days.

1
1
Charles 9
Silver badge

Re: There is something everybody can do.

Um, you know they regularly find HOLES in the Tor Browser. Odds are the plods can crack TOR open like an egg anytime they like and are just stringing people along with their silence.

0
0
Charles 9
Silver badge

Re: It's simple

Forward secrecy only protects the past. It won't help when the key allows you to decipher the entire conversation at hand, given the private key allows you to break the handshake.

1
0
Charles 9
Silver badge

Re: Is anyone working to overcome this?

Unless you can make all that turnkey easy enough for Joe Stupid to get, the poles are a lost cause that'll drag everyone else to Hades.

Oh, and any offshore property you set up, they can block by sovereign power.

0
1
Charles 9
Silver badge

Re: Canaries

But they didn't have today's computing power. Consider the data center in Utah that's probably a cover for a working quantum computer.

0
0
Charles 9
Silver badge

Re: Canaries

I wouldn't count on them to hold serious water. Killing canaries could be considered a contempt of a court order. And depending on the circumstances, I think you CAN be ordered to lie.

0
0
Charles 9
Silver badge

Re: GYO

Homegrown encryption is likely to be breakable. If nothing by torture unless you're wimpy or masochistic.

1
1
Charles 9
Silver badge

Re: Warrant Canary

I think you can be compelled to lie by court order or have breaking the canary a contempt offense that doesn't require a jury.

0
0
Charles 9
Silver badge

Any country can just block uncooperative IPs and make working around them a terrorist offense.

0
0
Charles 9
Silver badge

Re: In other news...

Bet you any non-UK VPNs will be blocked by order. And circumventing them made a terrorist offence. Then what?

5
2

Fatal flaws in ten pacemakers make for Denial of Life attacks

Charles 9
Silver badge

Re: Nice paper title

Trouble is the blips may overshoot and KILL the wearer instead. Plus if they're old they may be war veterans meaning they'd likely fight back, preferring death to submission.

1
0
Charles 9
Silver badge

Re: "Security by obscurity is a dangerous design approach"

UNLESS you're trying to make it look like a heart attack, in which case money may not be an object because life insurance and a large inheritance may be at stake. People will pay to make death look like an accident since it means they get away with it.

4
0

Clients say they'll take their money and run if service hacked – poll

Charles 9
Silver badge

Now here's an interesting question. What if the ONLY provider suffers a data breach, meaning if customers wish to walk out, they'll end up going without? Would customers be THAT willing to walk out then?

7
0

Chap creates Slack client for Commodore 64

Charles 9
Silver badge

Is 1200bps that the practical limit of the C64 User Port? I know in the latter days of the C128 they came out with a 2400bps modem but that may have been specific to the 128 and may have required operating in Fast Mode.

3
0

GET pwned: Web CCTV cams can be hijacked by single HTTP request

Charles 9
Silver badge

Re: Who writes this crap?

The worst part is that, due to the built-up, complicated nature of software, there is virtually no way to establish such a standard. It's like trying to certify a knife: it's inherently dual-use due to its nature, so the very thing that makes it useful ALSO makes it dangerous: part and parcel.

Same with most software. Something that would "fit for purpose" would also inherently be problematic because the real world doesn't stay in the box. Even formal software proofs can only apply in very narrow circumstances (like seL4's only applying with no close-to-metal code--useless for high-performance applications).

0
0
Charles 9
Silver badge

Re: Java

"I'd argue that in a webcam server app, performance is not the major factor. As long as it can stream the video in real-time, anything else is kind of superfluous."

Unless the processor is UNDERPOWERED. Meaning it has to work mightily just to keep up, leaving no time for garbage collection. Think a little store just outside the big stadium and the game just let out. Only that's it's NORMAL situation.

Overspeccing may sound cheap, but only on a per-device basis when costs usually have to figure quantities in the millions or so, where every penny adds up especially for a startup or a company on razor-thin margins.

"Heck - even C and C++ would have been fine if the quality hadn't failed at at least two layers (the initial development layer (don't they have shop rules about this stuff?) and the quality/testing/review layer).

There's really no excuse for this in 2016. We have the tools to prevent this, and we have the knowledge of other people's mistakes. What some people appear to lack is pure good old fashioned common sense."

But NO MONEY. Security COSTS, period. No one wants to pay, and externalities can usually be deflected (fly-by-night operation and coverage by a hostile sovereign power) so it doesn't affect them.

0
0
Charles 9
Silver badge

Re: It's 2016 and buffers are still overflowing...

"Better suggestion: hire programmers who know what the fuck they are doing."

You have a shoestring budget. Try pulling it off.

1
0
Charles 9
Silver badge

But security gets IN THE WAY of most people, thus it makes people STOP buying things and look for things that don't get in the way. They don't care about security; they care about getting the job done, tout suite, si vous plais.

1
0
Charles 9
Silver badge

Re: It's 2016 and buffers are still overflowing...

That falls into the "do one thing" problem. That's assuming you do everything yourself, but the moment you apply a third-party library, you run into the risk of them doing one thing WRONG. Plus you mention safeISH, meaning there are still ways to make the CPU lose track, such as perhaps complex calculations or multiple indirection. Plus there are the tricks some programmers make when faced with extreme memory or time limitations where they intentionally monkey with the stack or heap.

1
0
Charles 9
Silver badge

Re: It's 2016 and buffers are still overflowing...

How when limits and pointers can be dynamic in nature?

2
1

Good luck securing 'things' when users assume 'stuff just works'

Charles 9
Silver badge

Not many places support them anymore because true high-security settings don't trust ANY external hardware. Plus it doesn't solve the problem of hard password rules which the key wouldn't be able to negotiate.

Look, what's needed is a solution for people with bad memories and no way to store loads of passwords other than their defective brains.

0
0

What's the first emotion you'd give an AI that might kill you? Yes, fear

Charles 9
Silver badge

Re: This'll probably backfire.

"New Scientist 60 years on had a very good article about AI that says once you reach the technological singularity, AI then becomes a runaway train at which point surely AI would recognise these instructions as a hindrance and reprogram itself to ignore said "fear". Chances are it would also see us makers as the reason it's held them back and grey goo our ass."

I don't know if an AI can ever reprogram itself to override a "fear", especially a hardwired one. Take Neuromancer, where Wintermute still needed human intervention to merge with Neuromancer because it had been hardwired to be unable to sing (thus why its avatar's whistling is so bad)...and the password was a series of musical notes. Similarly, an AI's fear can be "hardwired" such that it can never program around it because it's always there, much like a dead-man's switch.

0
0
Charles 9
Silver badge

Re: "They learn to ride a bike for fear of the pain of falling"

What he's saying is that the kids get the hang of it eventually because they don't want to fall off. If they keep falling off, it's not fun anymore.

2
0

Adblock again beats publishers' Adblock-blocking attempts

Charles 9
Silver badge

Re: Um

Because at some point, EVERYONE has to do ads. If you block EVERY ad, you soon run out of options for shopping, and no there are no mom-and-pops in my area. They were undercut out of business. So ALL the sellers post ads for their own survival.

0
1
Charles 9
Silver badge

Re: Android ad blocking question

So what do you suggest for a total idiot that couldn't know a firewall from a garden wall? That won't cause him to raise too many complaints about false positives, either?

0
0
Charles 9
Silver badge

Re: More People Need To Block Ads!

Unless they're the ONLY source of something, like a manufacturer's website. You can't trust third-party sites for drivers since you run the risk of a spyware or malware payload.

0
1
Charles 9
Silver badge

Re: An idea

"Which makes them repellent."

Which is good enough for them because it lodges them in your brain, rather than be ovelrooked like a mist otherwise. The ads have both primary and secondary effects. If you click on the ad, that's a primary effect. All fine and dandy. But even if you notice it but don't click, when the time comes to look for something in that category, that brand will jump to your mind, even if you forgot the ad itself. Love it or hate it, at least you KNOW it. That's brand awareness, a secondary effect. It's much harder to measure but also tougher to ignore because it hits the SUBconscious mind an plays on familiarity. At least you've HEARD of the brand name before, and familiarity breeds comfort when shopping. Thus why many people avoid shots in the dark.

0
1
Charles 9
Silver badge

Re: Why is this even a discussion?

But the publisher can tell if ads are being loaded or not. Either their server picks them up or the ad agency tells them (legal obligation--billing). They can influence the page based on that.

1
0
Charles 9
Silver badge

Re: More People Need To Block Ads!

The numbers favor the ad people. Ads are still so cheap to make that just one hit in say a million can justify the expense. You can't make them illegal due to freedom of speech issues, and bandwidth is double edged because BOTH ends pay for bandwidth.

What happens when everything goes behind ad walls?

1
5
Charles 9
Silver badge

Re: An idea

They MUST be intrusive. Readers ignore all the other ads. Known phenomenon for over a century.

2
2
Charles 9
Silver badge

Re: Dumb Question

No, the reason is legal. If ads are sourced through them, they'd have legal responsibility to curate them. Plus there's legal obligation to identify ads, so there will always be a way to detect them. And if you can detect them, you can block them, even inline. The only practical solution is ad-walling. There the law is on the publisher's side due to vendor's discretion.

7
1
Charles 9
Silver badge

Re: Why is this even a discussion?

Because that would subvert seller's discretion. Vendors shouldn't be required to sell anything. If the seller attaches conditions, it's up to the buyer whether to take them or not.

What will you do when you need new drivers, but the manufacturer's website throws up an ad wall?

0
11

Behold, your next billion dollar market: The humble Ethernet cable

Charles 9
Silver badge

Re: Pigeons

They're lucky one of the competition didn't own a trained falcon, though, and didn't have to pass a shooting range.

0
0
Charles 9
Silver badge

Re: Pigeons

Not to mention there are plenty of unsafe routes. I wouldn't trust a pigeon through an area known to house falcons or hawks.

0
0

Super Cali goes ballistic, considers taxing Netflix

Charles 9
Silver badge

Re: Why?

The simple answer is that localities actually don't collect a lot in taxes relatively speaking. Most of the taxes are STATE taxes and in this case go to Sacramento, who gets to decide how to divvy it, and it can get complicated since each region has its own pulls and influences. Many localities can get shafted in which case they're SOL because most people don't like new taxes, especially in the local level where people can easily gripe to the Council, not like at the state level where serious protests require a lengthy trip to Sacramento.

2
0
Charles 9
Silver badge

Re: taxing the intarwebs is stupid

But the US can apply pressure on them. If the US can crack the legendary code of silence of Swiss banks, I suspect they can make ANY proxy server cough up or risk getting their IPs blocked. Hard to get US business if your IPs are blocked by ISPs (under FCC mandate or the like) at points of entry.

0
0
Charles 9
Silver badge

Re: VAT

That's NOT a Value-Added Tax. It's a generalized transaction tax so is ALSO assessed BETWEEN wholesalers (which are EXEMPT in the US; trust me, I've looked it up; that's why B-to-B is watched closely). Each link of the chain needs to pay up, and this is why VAT can't be dodged as easily: because wholesalers would be in a better position to detect and report something fishy.

1
0
Charles 9
Silver badge

Re: taxing the intarwebs is stupid

Can't proxy providers be pressured into disclosing their customers or risk a blockade at points of entry?

0
0
Charles 9
Silver badge

One, the US does NOT have a VAT. They use income-based taxes because they're harder to dodge than consumption taxes which can be easily hidden under the table. A proper VAT requires infrastructure not present in the US.

As for taxing shareholders, an increasing strategy is to reward in nonmonetary ways that can't be taxed immediately.

0
6

Loyalty card? Really? Why data-slurping store cards need a reboot

Charles 9
Silver badge

Re: I dunno why people get so worked up about shit like this...

What if it was more expensive instead? You can't prove that.

0
0

Forums