Re: Drop in the ocean
According to TFA, the 19,000 number is just for the "worst of the worst". The PhotoDNA wikipedia article mentions that "Project Vic" has a database in the millions of hashes.
371 posts • joined 12 Aug 2009
cryptographically broken and unsuitable for further use
"Cryptographically" being the operative word. In this case, it's not being used cryptographically.
for important things - like anything approaching censorship or criminal justice, perhaps - I don't think we should be using MD5
In their defence, it's entirely possible that they started using MD5 for this purpose before MD5 was so widely considered useless. And since it's a criminal offence to have possession of the images in question (exceptions notwithstanding), they may no longer have the source images from which to generate new hashes. However, they certainly shouldn't be using it for new images, and given the inclusion of PhotoDNA hashes in the programme, it's entirely possible they no longer do so.
That said, I would certainly hope they do a more detailed check than just comparing MD5 hashes, before breaking your door down in the middle of the night.
I'm a dreamer, I know.
By our reckoning, they would pay a couple of percent for this in the form of revenue-sharing.
A couple of percent to Deutsche Telekom, a couple of percent to BT, a couple of percent to Verizon, a couple of percent to Virgin. How many ISPs are there in the world again?
Or perhaps he means they should pay 2% of the revenue from each customer to that customer's ISP? Which still means there needs to be infrastructure and employees to manage the incredible complexity of the resulting accounting needs. Not to mention what happens when one customer accesses the service from both their home wifi and their cellphone connection, and perhaps also from their work wifi, or at the library?
Either way, I can see the costs of such schemes easily exceeding 100% of a small company's per-customer revenue.
Besides which, isn't the entire point of companies like Akamai that they aggregate the "servers at every ISP" model, for smaller companies which don't have the resources or clout to do it themselves?
[The] video from the project's KickStarter page suggests there is a prototype in existence, but not a very effective one: the device does knock off a few hairs, but is a long way short of the experience of pulling a conventional razor down one's skin and having the majority of hairs beneath the blade cleft.
Isn't that the very definition of a prototype? Something which proves the concept, but needs more work to become a finished product?
Companies don't pay tax, people do.
Given that actors in modern economies are all so intricately intertwined, it seems to me that making such a distinction is pretty much meaningless, except to push a political agenda.
Sure, a tax directed at companies will affect the amounts they give and take from people. But conversely, a tax which is directed at people will also affect the amounts they're willing to give and take from companies.
Any tax is really just a tax on the economy as a whole, so who has to pay any tax should really be decided solely based on where is most efficient to extract it.
The argument here is complete bollocks. If data were held in, say, Ireland the USA would need to request an Irish court to release the data. If the Irish court was satisfied that there is good reason then it would probably order a release of the necessary documents, much as it would agree an extradition of a person.
In the Microsoft case, the US government could indeed have asked the Irish courts for the data. The fact that they haven't, and are pushing this issue through the US courts, suggests to me that this is not about getting this particular data from Microsoft, but about setting a precedent.
If the US government can get a legal precedent set, that US corporations must hand over data wherever it lies, then they wouldn't have to get cooperation from, or even inform, other nations that information was being requested.
First up, of course emails are not private - that's laid down in the spec.
I'd argue that private correspondence can still take place using postcards. Just because someone might overhear or see what you're saying, doesn't necessarily make a one-on-one conversation public.
What 'personal data' is there?
Even if the email is encrypted, there is still personally-identifiable metadata - sender email address, mail client headers, IPs, etc.
What's more, it would be absurd to argue that the recipient is the one sending data to Google - that is, obviously, what the sender has done. Again, that's by definition.
Sort of, but only indirectly. If I send a postcard to a PO Box in Bristol, and the person managing that PO box has instructions to forward everything to an address in Kentucky, did I send that postcard to the US? Or did the post office do that, at the behest of the PO Box owner?
Email is somewhat similar: When most people send an email to firstname.lastname@example.org, they firstly hand it off to their ISP or email provider, whose email server checks the DNS of smallshop.co.uk for where to send the email (ie. smallshop.co.uk are instructing the email server where to forward the message). If that destination server is in the US, well then.
If your machine's *only* internet connection is through Tor, then there's no IP address *to* leak, except maybe your local wifi one (192.168.x.x or such).
These aren't worth the paper they're written on. This aspect of vodoo crime fighting has always troubled me.
Voodoo can be very powerful when the subject believes in it, and people have long been fed a diet of Hollywood polygraphs which work.
Running a TOR exit is not the same as using a knife. It's the same as giving free knives to anyone who wants them.
An even more apt analogy might be that of Libraries themselves; lending books to anyone, without logging who reads what.
Do libraries stock the classic novel "Lolita", despite it possibly attracting paedophiles?
Do libraries stock books on the history of the middle-east, despite them possibly encouraging religious extremism?
Do libraries stock chemistry textbooks, despite them possibly being useful to manufacture illegal drugs and explosives?
By voluntary cooperation, what is the White House saying?
Given the context of the document (where support for backdoors isn't even an option), and even the paragraph in which the sentence in question appears - the context of aligning others to a policy encouraging encryption and discouraging backdoors - I'd suggest that the memo is speaking of tech companies voluntarily cooperating with implementing strong encryption and discouraging backdoors. Lawd knows there are still enough tech companies which still need to pull their fingers out and encrypt all the things.
So if that's the sole sentence that could be found - in an 11-page memo - which could be construed as objectionable, then I think that's a pretty damned good memo.
There are some circumstances under which messages could feasibly be accessible to Apple. ... however that's a hypothetical scenario and there's no reason to think Apple hasn't kept the faith.
I'd think that being served a court order to intercept that traffic is quite a reason.
If they have even a hypothetical ability to intercept traffic, to not attempt to put that ability into practise could well be seen as breaching that court order.
You don't use any hard-drives, SD cards, or memory sticks? I don't know about France, but in some jurisdictions those certainly count as "blank media".
Makes me wonder if they've also lobbied for the tax to apply to RAM as well. After all, I can create a logical disk entirely in RAM, and store copies of files in there.
I think you'll find almost all goods are priced differently in the UK, France, Germany and Bulgaria. Haven't you noticed this before. Do you never leave the UK?
Nobody was arguing that, Andrew. The argument was about being able to go to another country and buy the good, without (I think) import duty, taxes, or restriction - thanks to the European single market.
A more useful counter to 42's comment would be to say that: Yes, you have the right to go to a more distant ASDA and buy your groceries. However, that ASDA have no obligation to *deliver* groceries to your particular address.
Comparatively, you have the right to go to Estonia to watch Estonian football, but the Estonian broadcasters can decide (via contractual relationships with suppliers) not to *deliver* the content to you in the UK, Belgium, etc.
So the question is more like: should cheese makers (blessed be they) be allowed to contractually prevent Morrisons from providing home-delivery of their cheeses outside of the UK? Or "L'Asda" outside of France? Or Teskyyäää outside of Finland?
Opponents to the plan say the winner would be Hollywood, which can license its generic lowest-common-denominator material at low cost across Europe
They don't already?
Seems to me that the only ones who can't already license their material at low cost across Europe are the smaller national producers, who may not have the resources to negotiate dozens of different agreements.
Could he put in a clause that says that any use of the code for profit making ventures needs to obtain permission from the author, subject to being sued?
No. The GPL does not allow for any additional restrictions to be placed on the use of the software.
This is the reason why GPL software is incompatible with the iOS app store - IIRC Apple limits the number of devices you can install on, etc. (yes, there is some otherwise GPL'd software on iOS, but they are generally using proprietary relicensing - ie. the version for iOS is not GPL'd).
Now I don't mean to cause surprise and alarm, but judging by the gigantic equatorial croissant on the right of the image, I suspect the French got there first.
seems to have worked out all right in the end
This is not the end. This is not even the beginning of the end. But it is, perhaps, the end of the beginning.
With Zettabox your content is safe from cybercriminals and foreign government intervention.
The only way for that to be really true is if it uses full end-to-end encryption; where only the user/customer has the keys to decrypt the data. And if you use full end-to-end encryption, then it doesn't really matter where the data is stored, because getting access to the encrypted blob doesn't get you anywhere without the keys.
From what I've read about Zettabox, I very much doubt they use full end-to-end encryption.
Most notably, pop star Taylor Swift withdrew her music from Spotify in protest against the freemium model.
I heard that Swift removed her music from Spotify so that people would be more likely to buy it outright, which would be more profitable. Though I'm sure she did, in fact, do it entirely out of principle, and the imminent release of her new album at the time was purely coincidence.
It isn't just about businesses with developers, it's about typical users with their own .me domain name hosting their blog about their kitten
So in your mind, the "typical user" runs and maintains their own VPS, on which they manually install and configure wordpress and apache? And, despite their apparent server-side expertise, they're incapable of adding a few lines to their apache config to enable SSL?
Are you sure the "typical user" won't actually be using a hosted service for their blog, where all the complicated back-end stuff is actually done by a business with developers?
Sorry, looks like I picked the wrong week to give up Airplane gags.
Have you ever used an open WiFi access point? On an insecure, shared, WiFi network, it is trivial to modify plain HTTP traffic to serve up porn, ads, or exploits which install malware on computers.
Do you absolutely trust your ISP? Do you absolutely trust every employee at your ISP? Your ISP can see *everything* you do in plain HTTP. And, like the above WiFi situation, your ISP (and any technical employee thereof) is in the perfect man-in-the-middle position to modify all of your insecure traffic - with or without official blessing of the company.
So then tell me: Why should we *not* secure websites?
Think I'll wait...For those cheap aluminium batteries we were talking about a couple of weeks ago.
I'm still waiting for those cheap batteries we were talking about last year. And the year before, and the one before that, and the one before that, and... pretty much every year this century.
So I wouldn't hold your breath.
What about the multinationals that have info in several jurisdictions, and find they can't move data between them? They'll head for the places with the lightest regulation, as always, and the jobs will follow them.
Unless you're also suggesting that all the customers will also abandon the EU; reducing Europe to a depopulated wilderness of hunter-gatherer communities; then there will still be demand for these services in the EU, which means money to be made.
If the large multinationals don't want to obey the law to get some of that money, then I'm sure there will be some local companies to fill the void, and "create jobs" - probably more (and more varied) jobs than the large multinationals would have needed.
Which appears to be the point.
I thought this was going to be a story about Microsoft contributing to the free-software community. But that VMM screenshot sure doesn't look like the VMM that I'm used to.
I guess Red Hat really are the Microsoft of Linux. At least when it comes to naming software.
The argument here is that only real human beings can actually pay taxes. Alternatively, any and all taxes mean that the wallet of some live human being gets lighter. There ain't anyone else here but us, after all. So, we can charge taxes to legal persons (corporations) but it's always some real person (ie, human) who really pays it.
Is that not entirely tautological? The only reason that only real human beings are the only ones who pay tax, is because you've already declared that only real human beings pay tax.
One could take it from the opposite perspective: Most real human beings get their money from corporations, and give their money to corporations. So whenever we levy any tax on real human beings, "lightening their wallets", it's really the corporations that are having to pay that tax; through higher wages, lower margins, etc.
I'm not sure it's at all productive, or even sensible, to declare that one group or another is "really" the one who pays all the bills; not in the massively interconnected and interdependent economies we have.
The moment Google starts screwing over us consumers then we'll bugger off elsewhere.
That's only true if the consumer is informed that they're being screwed over. Who's going to do that? Google?
The obviousness and novelty of patents are judged, not by the patent's abstract (its introduction/summary), nor on media reports of that abstract, nor on commentards' interpretation of media reports of that abstract; but on the actual independent claims identified in the patent application.
Few people, even those who should (ie. media reporting on the patents), bother to actually read the most important parts of patents before criticising their obviousness.
“We are disappointed by the position taken by these tech firms and it only adds to our problems in getting to the communications of the most dangerous people that are abusing the internet,” he said.
Surely the NSA/GCHQ/etc. should have all their own communications on internal servers, so why would they have problems getting to them?
Installing taps on Internet backbones = abusing the internet.
Sending encrypted communications = using the internet.
1. Watchdog raises issues with corporation
2. Corporation makes changes to satisfy watchdog
It was a vaguely interesting idea but, at this point, with Microsoft's announcement of Hololens and Google's own significant investment in Magic Leap, it's very unlikely that Glass will ever see light again
Why do people insist on comparing Glass to VR and AR headsets? Can people really not see any further than "it sits on your face therefore must be the same"?
Glass' closest equivalents - in terms of actual functionality for the general consumer - are actually smart watches.
For Industrial and medical uses (eg. use during surgery), however, Glass has no equivalent AFAIK.
Faulty input validation is one thing, and the most obvious that people pick up on, but I can't help feeling that this occurred entirely because of a fundamental wtf in the API design:
It introduces path traversal making attacker’s job much easier - you only need to type '../sms' to turn /verify API call into /sms (/verify/../sms/authy_id) which will always return 200 status and will bypass 2FA,
So they appear to be using an HTTP-based API. In the HTTP protocol there are explicit places for communicating user-supplied variables - in the query string or POST body. So why, for the love of Tim, are they putting the (user-supplied) verification code in the request path?
That's just.... no.
It's about trying to keep a competitive market for services on the Internet.
If ISPs zero-rate particular services, then the ISPs are slanting competition toward their preferred winners, rather than the end users choosing the better service.
Also, if the ISPs let anyone zero-rate, but require payment for it, then established players get (yet another) advantage over any innovative new start-ups - who may not have the cashflow to be able to afford zero-rating their service on every major ISP on the planet.
Don't call them "trolls" like it's some new phenomenon that appeared with the interwebs (and therefore we need new laws to deal with it, goes the reasoning). Such people have been engaging in this kind of behaviour since time began, so call it what it is:
The US biz said in 2012 it would be working to get users over to Hangouts – which supports modern stuff like video conferencing.
You could do video conferencing using XMPP (Jingle) since well before Hangouts were ever a thing. IIRC Google even added support for it to Google Talk.
Why on $DIETY's Earth would they want a random link button?
On a large complicated project, sometimes writing a silly little feature that is mildly entertaining, but serves no real purpose, is the only thing which can keep a developer sane. For a while, at least.
I always thought his defence was going to be along the lines of: "Ulbricht sometimes had access the account identified as DPR, but so did several other people over the course of time, and it was not Ulbricht who performed any illegal acts using that identity."
Though I wasn't there, so I don't actually know how much evidence the prosecution was able to provide identifying Ulbricht as DPR (and the only DPR) at the time that the offences took place.
I wonder if "my lawyer was crap" is a valid basis for appeal?
<font face="Comic Sans MS" size="16" color="hotpink" >Me too!</font>
"~-,._.,-~"~-,._.,-~"~- Raumkraut -~"~-,._.,-~"~-,._.,-~"~-
Posted by Stuart Longland on 8 Jan 2015:
> Especially when said legalese tells the world + sundry that the email may contain "confidential" information and was sent to a publicly-archived mailing list! It seems to be the corporate fashion these days, as is HTML in email.
> I noticed recently my email signature started to show a long legalese blurb, and it was the first thing to go. I participate on far too many publicly archived mailing lists as part of my day-to-day job to have this hindrance to communication.
> I'm also the office Luddite with plain-text emails.
> A few reasons why legal disclaimers should not be placed in email signatures:
> - They are too long to fit in an email signature, which should be approximately 4 lines long, 6 at an ABSOLUTE maximum
> - The content often presumes facts about the email and its intended audience which mostly wind up not being the case or places restrictions which are not appropriate for the intended audience
> - They appear AFTER the email content, so it's only when you get to the footer do you realise "Oops, I shouldn't have been reading that!"
> Due to the last two points, I would suspect they have next to no legal value. Pretty sure for a legal document to stand, the person has to see it and agree to it first before it becomes binding.
> Moreover, email is inherently plain-text unless you've taken steps to ensure privacy (e.g. using industry-standard tools like S/MIME or OpenPGP). Unless you do this, I think it unreasonable to assume any kind of confidentiality over email.
Yep, this sounds like yet another WebRTC implementation. I hear about a new "secure video chat" service about every other week these days. Even Mozilla baked one into the Firefox browser itself. I thought that I might get a break over chrimbo, but apparently Herr Dotcom needed his dose of publicity this week.
The problem with the current crop of WebRTC clients is that, while the conversations are direct between clients in a p2p manner, they need a centralised server (website) to provide the routing of calls (aka call metadata), by virtue of the web browser security model.
The most interesting project to me in this space is Tox which, while still being in a rapidly-developing alpha stage, appears to be well functional for text/voice/video chat.
Well, https doesn't encrypt URLs, for one thing. So a snooper can see (the URL of) all pages you visit using https, even if they can't see the content.
Incorrect. HTTPS doesn't shield the destination server (domain/ip address) you connect to, but everything more specific than that is indeed encrypted - including any URLs you request on that server.
There are not only 2 states.
Chrome has: 1) A green bar for EV-certs, 2) A green lock for a valid cert, 3) A red strike through the "https" when the security is flawed, 4) No indicator for completely insecure sites
Firefox has: 1) A green bar for EV-certs, 2) A green lock and owner info for a valid cert, 3) A big stonking warning page when the security is flawed, 4) No indicator for completely insecure sites
Without any indicator in the case of 4, the effect is to imply that a complete absence of security is better than partial security (eg. no authentication, but protection from passive interference).
AFAICT, this proposal for Chrome is to treat 4 in a similar manner to 3. This appears sensible to me.
A broken HTTPS, i.e. something like a MITM or other attack, should set off alarm bells even in the brains of a clueless surfer, but it won't if it shares the same indication as half the sites he browses!
The problem is that it is impossible for the user to know whether there is a MITM if they're not using HTTPS. This proposal is to stop naively acting like HTTP is somehow magically a better environment than, for example, a site which uses a self-signed cert.
Google's engineers are idiots living in their ivory tower, not understanding that not everyone is an ubergeek who implicitly understands this stuff.
So because some people can't be helped, we should throw everyone else under the bus? There is a wide swath of people between "ubergeek" (who don't need this warning to understand) and "dufus"; and some of those people are capable of understanding, if they're given the right cues.
They think they're being clever and will encourage site owners to switch to HTTPS, but there's no point for a lot of sites to ever do so.
If a site doesn't want to prevent MITM attackers injecting malware into requests to their website (among other things) then sure, there's no point.
The vast majority of web content has zero security relevance. Who [i]cares[/i] if that cat picture is sent securely?
Do you like your web traffic to have ISP-injected advertising added to it?
Do you enjoy having your ISP add uniquely-identifying tokens to every page request?
Do you enjoy not knowing whether that file you just downloaded from $reputable_site has been tampered with?
Do you like receiving web pages which could be trivially rewritten to directly contain malware?
I don't. That's why I prefer the authentication and privacy offered by TLS.
And when we do "finally come to realise" that, what do you think will follow?
If this decision goes "against" Microsoft, et al, I think that what will follow will be a series of large multinational corporations splitting some of their operations and services into multiple individual national-level companies, rather than everything being directly owned by a single parent entity.
For the governments, it would reduce the ability of companies to "avoid" taxes, or other local laws, whenever it suited them.
For the corporations, they'd get a single, known, legal jurisdiction to deal with; and generally much smaller market variation to tailor their product to. They'd also, in theory, have more autonomy from "head office", and freedom to choose business partners (local laws permitting).
For the customer, we'd effectively get more competition between companies and legal jurisdictions; with the customer deciding which jurisdiction is best for them, and not the corporations deciding for everyone purely for their own financial gain.
I, for one, welcome our new federated corporate overlords.
Class-action suits aren't about getting the plaintiffs rich, they're about punishing corporate activity which illegally harms the consumer. Of course lawyers get rich in the process, but they do that whatever the case, so that's neither here nor there.
The interesting (and often most questionable) part IMO is what will become of the portion of the inevitable settlement which remains unclaimed by class members (which is usually most of it).