771 posts • joined 16 Jan 2011
Re: "So" protective of... definitions of right and left, perhaps.
"Despite the sad excuses given here Barack Obama has the sole authority to start and stop these surveillance programs." No, not quite true. The Congress can do that, but the President is fairly limited in his authority to not spend appropriated funds. He can, of course, omit funding from programs he dislikes from his budget request, but if they have Congressional support they are liable to be put back. The history of the GE-Rolls Royce F-35 engine is instructive.
Re: WTF? Cynthia McKenney?
"opportunist politician": a person who holds or actively seeks elective office.
And really: the Green party? In the US? Might just as well be a Libertarian or member of the Natural Law party.
Re: The best thing about Ubuntu is...
Yes. We are the 1%!
I'm not at all clear about why anyone would expect multifactor user authentication to be very helpful. Has anyone a census of the number of Windows machines hacked by way of password guessing? My hunch is that better than 99% of compromises result from software and wetware errors. The main advantage for users might be that it can simplify login procedures.
Those who administer a large number of systems will want to disable user admin rights as much as politically possible in their organization, so they also may not receive much benefit from multifactor authentication, perhaps using it only for those with administrative rights. I know of one federal agency where everyone has a smart card for access and those with admin privileges, which included many of the application developers, had a second one associated with authority to install and configure software. Management thought that preferable to the cost, which I think was around $50 a call, for the outside provider to do it.
Signed-by-trusted-providers software sounds useful, but might be ignored in part or full unless Microsoft provides a capability for users to add to the list of trusted signers. Wouldn't hurt to make people think a bit about it, so there's no need to make it a simple check box.
Re: The media strikes again!
Notable school mass killings before the mid 90's:
1927: Bath Township, Michigan.
1966: University of Texas
1976: California State University, Fullerton
The earliest was bombs placed by a school board member, but killed 44 (38 school children) and injured 58 others.
Re: the "fun" part about systemd
Well, I have noticed that since I set up a couple of systems on Jessie and systemd I wind up booting them a lot more often than the Wheezy ones that still use sysv. I'm not sure whether to blame that on the slight instability that goes with a testing release or on systemd. The do seem a bit more unstable than my past experience given the announced freeze date of 5 Nov, only two weeks from now.
Re: Encryption blocks nothing.
References to encryption of communications are generally off topic here. Comey was complaining about Android and Apple encryption of data at rest. The FBI, as well as state and local police, can obtain warrants to obtain telephone call content. CALEA provides for that. And as noted, they can obtain warrants for email and other communications, and subpoenas for communication metadata, although users may encrypt them so that the results from Google, Microsoft, or others is effectively as unusable as what is stored on an encrypted phone.
The complaints of Comey, Holder, and others about cell phone data encryption, in addition to almost certainly overstating its importance by quite a few orders of magnitude are, unfortunately from their viewpoint, pretty much about a dead issue, at least for Android phones. The Google Play Store shows 250 encryption programs of various kinds, nearly all of them free and some of them probably decent implementations of secure protocols and algorithms. An Android user willing to install programs from other, perhaps dodgier, sources probably has a much larger set to choose from.Apple users may have to root their device if they don't trust Apple's implementation or one of those available from the Apple store. However, it is likely that those able and willing to root an iPhone, like Android users, can find encryption capabilities from sources that national governments do not control.
Re: So...FBI wants extra powers then
The FBI boss said nothing to indicate a wish "to read any and all correspondence on your device at any time".
He expressed a wish to be able to do that with a search warrant, issued by a court based on a showing of probable cause to think the phone contains usable evidence of a crime.
As stated, providing a back door is madness and was rejected in principle over twenty years ago.
And, unfortunately for the FBI and others, government resistant encryption has been widely available for use by those with moderate technical knowledge and expertise for over two decades (email and computer files), built in and easy to activate for three years or so on Android devices, and is available as a default for Apple portable devices beginning with iOS8.
First, the requirement for a warrant to search cell phones incident to arrest has been settled law since June, 2014. Before that there was some doubt, but warrants would have been required for cell phones in essentially all other circumstances based on prior law and court decisions. Comey's complaint is not that encryption will prevent searches without warrant (which are illegal) but that when he obtains a legitimate warrant to search a cell phone he may lack the practical capability to do it due to encryption. It is not clear why cell phone encryption hit his hot button (and the Attorney General's as well), since the argument applies equally to many other types of computing equipment.
Second, it not clear that complaining now makes sense. That horse left the barn more than 20 years ago, not long after PGP became widely available when someone noticed that it could be used for files. Those with a need have been able to use government resistant encryption for quite a while, with a relatively little and declining effort. If they did not do so, and by that became vulnerable to capture for crimes, it is their problem.
Third, law enforcement officials still have the capability to obtain call metadata by a court order and, with a warrant, to tap phones. The additional capability to decrypt stored data probably would be useful in some edge cases, but probably also represents a tiny part of the search warrant universe, which itself is a small part of the criminal investigation universe. As they cannot do anything effective to prevent encryption, they might as well put it behind them and get on with their business as well as they can. When it turns out that they have enough probable cause to obtain a warrant, they also are likely to have the authority of the issuing court to bring a good deal of pressure to bear on the recipient who denies access to search the device.
If I had a conspiratorial bent I might think this was a ploy to confuse us into believing that cell phone data encryption was a new and significant impediment to law enforcement activity. I do not think that, but that the complaining officials, like many in all kinds of organizations, have confused themselves into thinking that obscure corner cases are as important as the ordinary common ones.
Re: Is this
The last I heard, all first class snail mail was photographed to obtain the metadata.
I am skeptical, though, about the implied proposition that X-ray would produce a useful image of a letter's contents.
Re: Founding fathers?
On average, the founding fathers opposed slavery, but to get agreement on the Constitution pinched their noses and signed off on the 3/5 rule and prohibition until 1808 of laws forbidding slave importation. You may think that cowardly or immoral, but it is not clear that slavery in the middle part of North America would have ended as early as 1865 if there had been two nations instead of one.
The same founding fathers, by the way, also insisted on the Bill of Rights as a deferred condition.
Re: "was seriously hampering the efforts of cops"
Encryption capability superior to Apple's pre iOS8 has been baked into Android releases for about the last three years. Default activation has not, but we may reasonably think that anyone who thought they had a need activated it, yet life has gone on. Law enforcement officials seem to think all criminals are so stupid that they need Apple and Google to protect them.
Re: In general - and not specifically about Arab States...
"Why should a State have any rights ..."
Traditional answers often have come down to "because God wills it."
One early 20th century answer was "the vanguard of the proletariat, because it understands their proper will better than they do themselves".
One reason for the enormous disconnect between "The West" and most of the Middle East is that the fundamental idea that legitimacy derives from the consent of the citizens is not well rooted there. That notion is far from universal even in modern countries with liberal democratic regimes.
doesn't a legitimate government have a mandate to at least try to decide on what content is available in its country ?
To a first approximation in the US: No.
Copyright and copyright enforcement, although seriously damaged or broken, would be an exception; like it or not, they were established by processes generally considered legitimate and the way to change them, if we wish, is to use those same processes.
Porn might be an exception, but courts have not, in the end, treated its suppression with favor except in the matter of child porn.
Some statements published via the Internet may be legally actionable in civil courts and subject to takedown orders, although the effectiveness of such orders might be quite limited.
In other countries, the government's authority - legitimate power - to limit content availability may be much greater. The government of the People's Republic of China certainly is legitimate (on the mainland), yet it exercises great control over content availability without calling its legitimacy into question.
I tire of reading things like "We get controlled via the media tied to corporate interests ..." with scarcely a hint of exactly how, other than our presumed laziness, this is done in the US (and other Five Eyes countries, and NATO, and quite a few others).
Those who make such claims should occasionally explain just how this is equivalent to expropriating, jailing, or killing the opposition, as done in some countries that all of us could name.
1. The announcement, for some reason, reminded me of Fleischmann, Pons, adn electrochemical cold fusion claims.
2. We already have a fusion reactor at our disposal. The problem is that it's 93 million miles distant and we need to find a way to collect its energy with decent efficiency.
3. On the other hand, it really will be nice if isn't BS.
Re: Naive is certainly an appropriate name for you
But we developed the iPhone!
Surely that should make up for all the rest.
Just as Virtualization (along with virtual memory) was an IBM invention. We always are indebted to those who went before and had new, interesting, and useful ideas.
"And what year did Linux get even a half decent interface that the average Joe could use?"
By my recollection that would be about 1995, and I found references back to 1996 for X11 and OpenWin with either olwm or olvwm. I quite liked the latter for its easily changed (by drag & drop) number of virtual desktops, the number of which apparently was limited only by the available memory. Originally developed by Sun for Solaris, it was a well thought out and implemented piece of work performance was quite good on a 486-33 with 16 Meg memory. After nearly 20 years I can't be sure, but think there was a pointy-clicky way then to unmount and eject a CD, along with a fair number of other useful things, and it seemed to support pretty much anything that knew how to run as an X client.
As I recall, Microsoft's best consumer offer at the time was Windows 95, probably not their premier offering and, from a stability viewpoint, substantially inferior to either OS2 or Linux and X Window. Its saving was that it was supplied by default on just about every PC sold commercially and would run most or all of the applications developed for MS-DOS and earlier MS Windows versions.
It is incorrect also to confuse the task of installing Windows, which almost nobody had to do, with installing Linux, which required a bit of knowledge and, depending on the release, a possibly significant amount of interaction with the installer application. The proper thing is to compare operation after installation and configuration.
Re: Oh goody
Retention and publication restrictions already cover the organizations named.
- Experian, TransUnion, and Equifax are governed by a number of laws and civil court decisions, including a legal requirement to drop information after a period of time.
- The IRS, as I understand it, ignores information over about three years old unless they find evidence of fraud, in which case the effective period is indefinite.
- For the NSA, the legal retention is 5 years or less for nearly everything and generally 0 for US person information, although that obviously conflicts to a degree with retention of communication information between a US person and a foreigner. The FISA and USSID 18 rules are quite specific in this area.
- The CIA is expected to pass to the FBI or maybe, now, DHS, any material pertinent to US persons or activities; for the latter agencies I would expect the rules for criminal investigations and proceedings to apply.
I do not know whether Google (Yahoo!, Bing) would be misclassified in the US as "publishers", but suspect it would make little difference, as restriction of the right to publish true information here is quite difficult to get and therefore quite exceptional. Notable instances are classified government documents and copyrighted material, and occasionally court proceedings and documents are suppressed for a time. The idea of deleting or delisting "outdated or no longer relevant" information is alien, as is the curious notion that unpopular ideas like white supremacy or holocaust denial could be regulated or suppressed. The idea that official and public actions of a government body, like that taken against Mario Costeja Gonzalez in Spain, could be ordered "forgotten" is, in the context of the first amendment, preposterous.
If anything, we err in the other direction, as in assigning "sexual predator" labels that are legally required to remain public for long periods or permanently for the life of the assignee.
Re: Scrap the whole system
And people whine about NSA's presumed tracking capabilities?
Re: British Database
The SSN, for practical purposes, is a national ID in the US. Despite the fact that its use as a primary account identifier has been illegal for nearly 40 years, it still is used extensively within the government and probably in the private sector as well, and retained an a good many files and databases where it has no legitimate purpose.
In addition to SSN use in filing fraudulent federal income tax returns over the last several years, availability in the last year or so of a national Social Security self-service web site has occasioned fraudulent rerouting of SS payments. There almost certainly are other cases.
Re: reporting cyber incidents would not incur any additional costs
And before the audit you will have to complete about an inch of vulnerability self assessment checklists for each system, for each year (or inch-equivalent - somewhere between 500 and 1000 questions). The questions will, of course, change from year to year, dampening excessive cloning. This manual effort will supplement the required vulnerability scans, further burdening employees who might otherwise be spending time patching and fixing the vulnerabilities, or requiring hire of additional employees or contractors.
I almost stopped reading after the words "civil servant" in the first line. Out of a probably misplaced sense of duty or something like that I read the rest; it did not change my mind.
Nothing good seems at all likely to come out of this.
Re: Multi-Stakeholder model.....
Correct, but I would put it a bit differently: there are too many people who want to have control for it ever go anywhere. No good can come of it.
The seemingly obligatory reference to NSA shenanigans is a misdirection. They were not helped by present naming/numbering allocation procedures and will not be hurt by changing them. They (and all other SIGINT agencies) operate largely at a lower level and will use whatever addressing and routing information is available.
Complete rewrite? Rubbish. Nobody who ever wrote programs for a living believed that for a second.
Microsoft might not be the nicest company to deal with, but they are not so stupid as to discard their own debugged code in favor of rewriting the functions from scratch.
The unfortunate thing is that Snowden or not, nearly all of this leaked out.
Yes. There is a place, perhaps, for a network of things inside my house. There is very little to be said for connecting that network to any that is accessible from the Internet. In over six decades of inability to control things inside my house remotely I have suffered only very minor and occasional inconvenience. The notion of connecting everything I might want to control to the Internet, even through a VLAN, gives me a righteous case of the queasies.
Upvoted, with reservations. Although Greenwald, Poitras, and others appear to have redacted names, and most of the illegally released material describes information that has been known for years in general, and in some cases with a fair degree of detail, the material also contains quite a few additional details that may not have been known. It may enable information assurance and counterintelligence personnel to detect vulnerabilities and targets, and concurrently to identify individuals who provided assistance, that would have been impossible or much more difficult without the release. Vulnerability and target identification result only or primarily in loss of sources and compromise of methods, but identification of agents that might result from related investigations could lead to their imprisonment or worse. And of course we don't know from what has been published that more, including names of people who are now vulnerable, has not been made available privately.
As for "gross misjudgment, incompetence, greed and base motives," it is not entirely clear that the released material show it extending much beyond the outsourcing of background investigations. A considerable part of the material describes the details and mostly successful operation of internal and judicial controls aimed at protecting US citizens from unwarranted government action, and the major, if not only, release of privacy impacting information about anyone has been as part of the "revelations": the NSA collected, processed, and retained email message contents under FISA rules; Snowden removed it from their control, and those to whom he provided access made it public.
I have to say that having read the Maass and Poitras article, and the documents that accompany it, I am pretty underwhelmed by the depth and scope of the new revelations. Most of it seems to have been known generally by 2012, and all or nearly all the rest came out by the end of 2013.
The girl friend probably is not implicated, and likely can travel freely on a US passport, subject to funds availability, with no more hassle than, say, Glen Greenwald.
By no means a Microsoft fan, but ...
Is there any evidence at all that Microsoft or any or the other major technology companies pays female employees less than male employees for the same work when account is taken of work quality, experience, skill level, and the like?
Same question for hiring: is there evidence that Microsoft or similar companies discriminate in hiring against women with essentially equivalent education and experience, or hire them at lower salaries or for jobs with lower overall advancement potential?
The often repeated statement that women are paid ~78% of what men are paid presents a single number as a claimed representation of an enormous range of job classifications, personal choices, life experience, education, and work experience.
Have they not heard of Faraday bags?
Many available from Amazon.com and quite a few others, $20 or so.
Alternative, aluminum foil, $.05 or so.
Re: illegal abroad surely
"If this precedent stands then the other members of the 5-eyes can hack into US based computers and turn the results over to the NSA ...".
I do not think this is correct. It may mean it is legal under UK law to penetrate US systems without a UK warrant and present the results as evidence in a UK court (and similarly for Australia, Canada, and New Zealand). Then again, depending on treaty arrangements, it might not be legal. My guess is that in all of the 24 possible pairs of Five Eyes governments there are treaties in effect that would make such evidence gathering unlawful and the evidence collected inadmissible. That might or might not be true for the US and Iceland. Presumably Ulbrucht's attorneys are competent enough to have brought any such information to the attention of the judge who will be deciding the issue.
Re: Lazy Lunacy
There is no reason to suppose that evidence gathered with a warrant is either more or less reliable than that gathered without one. Whether or not the evidence is "dodgy" depends much more on showing that it was handled in a way that ensures against alteration by the offeror, whether prosecution or defense. Ultimately, under US (and, I think also UK) law, the jury determines that, and whether the evidence is relevant, and whether it supports a finding of "guilty" or "not guilty".
The present issue is whether the evidence was collected in a way that allows it to be brought to a trial and offered to a jury, along with testimony, elicited in direct and cross examination, about it.
Re: Lazy Lunacy
No, it is as I said. The FBI claims a warrant was not required and the evidence should be admitted; Ulbrucht claims the opposite. The judge will decide whether which is the case. The loser might appeal, but the decision eventually will be final one way or the other.
Whether to extradite the FBI or other US government personnel involved in collecting the evidence at issue depends on a number of details:
- whether Iceland officials find that a crime has been committed under Iceland law;
- whether there is an extradition treaty between Iceland and the US;
- if the answer to the first two is "yes", whether the Iceland government seeks extradition;
- if the answer to the first three is "yes", whether the US grants the request.
Re: It's not 4th Amendment, it's Article I, section 8!
Article I, Section 8, Paragraph 11 grants the Congress has the power "To declare War, grant Letters of Marque and Reprisal, and make Rules concerning Captures on Land and Water".
To call subverting a privately owned server located in Iceland "attacking the infrastructure" and therefore an act of war seems quite a stretch. However, what the FBI is claimed to have done seems likely to fall into the "Captures on Land and Water" box, where the Constitution explicitly grants the power to the Congress. There might even be US law to cover what they did.
Re: I just have to say...
Gary McKinnon violated US law by accessing government operated equipment. The US Government requested that he be extradited to stand trial in a US court, and the UK government, after a great deal of deliberation declined to do that. And the case is largely closed, although I would not recommend that Mr. McKinnon plan to vacation in the US.
The corresponding scenario in the present case would be for the government of Iceland, if they believe Iceland law to have been violated, to request that the accused FBI personnel be extradited to stand trial in their courts. I do not know whether there is an extradition treaty in effect between Iceland and the US, or whether a request, if made under such a treaty, would be honored or declined as the UK did in the McKinnon case.
In any event, the FBI is claiming only that they violated no US law and did not require a search warrant from a US court. We have yet to see what the judge will have to say about that and the defense argument to the contrary.
Re: So the FBI's position is that it is legal for governments to hack US servers?
Carrying a gun in the UK might be illegal under UK law but not under US law. UK law certainly would apply, and the US consul, in such a case probably would provide little or no assistance. But the act probably would not violate US laws. Similarly, the FBI might have violated the laws of Iceland but not those of the US.
A US court's warrant would be valid outside the US only to the extent provided by treaty.
It would be quite interesting to have a comment on this episode from an Icelandic attorney.
Re: So the FBI's position is that it is legal for governments to hack US servers?
This logic is quite incorrect. The FBI apparently takes the position that their search of a foreign server did not require a warrant because it was located outside the US. The logically comparable assertion would be that the national police agency in China (or Russia, Israel, France, or Iran) takes the position that searching servers in the US or other foreign countries is consistent with their laws. Such an assertion might well be correct. The FBI certainly would not agree to that.
Whether conducting searches outside the US complies with US law or requires a warrant depends on treaty provisions which, once a treaty is ratified by the Senate, have the force of law in the US. It is possible, for instance, that it is unlawful in Iceland to act as the FBI appears to have done, yet not unlawful in the US because there is no treaty provision that makes it so, and Constitutional protections generally apply to those under US jurisdiction - citizens anywhere and legal US residents in the US.
Re: So by their 'logical' extension
"Iran or North Korea can hack into US servers ..."
That probably would violate the Computer Fraud and Abuse Act, just as what the FBI is alleged to have done may violate the law in Iceland. It does not appear that the FBI has claimed compliance with the law anywhere but in the US. The symmetric case would be for the government of Iran or North Korea to take the position that hacking computers in the US (whether government or not) does not violate their laws. And they might be entirely correct in making such a statement.
Re: Lazy Lunacy
The fact that evidence was gathered with help of a warrant, or without it, says nothing at all about it's credibility in a court proceeding. Credibility of evidence and testimony are entirely matters for the jury to decide. Lack of a warrant for evidence obtained in a search may, but will not always, cause it to be excluded from the jury's consideration. In practice, a great deal of the evidence in criminal cases is collected without a warrant - evidence colected at a crime scene, for instance, or in a personal searche incident to an arrest.
The question before this court, at the present time, is whether particular evidence collected from a foreign server will be admissible in a still hypothetical future trial.
Re: Who had control of the server?
Pretrial motions are not the place to raise questions of reasonable doubt. All the government has to establish at that point is that there is, indeed, probable cause to think the crime in the indictment or charge was committed by the defendant, and that the evidence to be offered is admissible. If the matter goes to trial, the jury will determine the outcome based on the evidence, considering any alternatives offered by the defense that raise reasonable doubt about guilt.
Re: So why bother to send a letter of request to a foreign country...
US law includes provisions of treaties made by the President with the advice and consent of the Senate (2/3 of the Senators must concur). If there is a treaty with Iceland that covers this, the FBI would be required to follow it, and failure to do so could damage or destroy the admissibility of any evidence they gathered.
Re: A good judge would...
No. A good (US) judge would decide the issue on the basis of US law and relevant Senate-affirmed treaties. That might or might not result in criminal charges in the US.
A good defense lawyer might seek to involve the government of Iceland. The government of Iceland might agree their laws were violated and and issue international warrants. Depending on treaty provisions, they might or might not be enforceable in the US.
Re: illegal abroad surely
Yes. But more significantly for the case at hand, they are claiming that their actions are consistent with US law. Whether it is or not will be determined by a US court, taking into account any treaties that the Senate has ratified that govern the specifics. Contrary to the claim, there is nothing especially odd about this; settling issues like this is what lawyers do occupationally as a matter of normal practice.
Re: So why bother to send a letter of request to a foreign country...
"I wonder how the US would react if a foreign national criminal investigation bureau hacked a hosting business in the US" would not seem to be the comparable question.
The relevant question would be how a non-US court in, say, the UK, Germany, France, or Iceland, would react if their national police agency hacked a server at a hosting business in the US or another country. For the example given in the second paragraph, would the court in Iceland reject evidence the Iceland police force had gathered from a GoDaddy server?
LOVEINT: A dozen or so individual employees misbehaved in a reporting periof of 6 or 8 years, were found out by their own admission or NSA internal reviews, and were punished, mostly or entirely by discharge or forced retirement. Not good, but also not enough to rubbish the entire agency, which probably employs several ten thousand or more analysts at any given time.
The Bluffdale, Utah data center is largely a lights out operation. At completion, the local newspapers reported that ongoing employment would be in the neighborhood of 200. The analysis is done elsewhere.
The three deep contact chaining limit probably represented a pragmatic compromise between missing significant intelligence and producing so many results that anything of significance was obscured by noise.
Those who start with a presumption that the true purpose of the government is to control the citizens and suppress dissent as much as possible might conclude that all government surveillance is illegitimate and should be ended. Those who think the government has a proper role in trying to anticipate what can go wrong and prepare to oppose it might conclude that things like surveillance cameras nearly everywhere and databased communication metadata have a proper place in supporting that role but require close supervision to prevent misuse. In the US, at least, the overwhelming majority of police power misuse has nothing to do with mass surveillance or targeted communication surveillance and much to do with inadequate training and tactical misjudgments by police officials, and self-promotion by prosecutors. Most of this occurs at the state or local level of government, where internal controls tend to be more lax and less uniform, but they occur at the federal level as well (e. g., Ruby Ridge, Branch Davidian, Aaron Swartz).
It strikes me as inconsistent that we seem to acquiesce in, or even demand, handing over to our government immense power to do good (provide medical care, ensure full labor employment, for example) and tend to oppose vehemently granting it powers arguably connected to ensuring public safety, which many would agree is a core government function. One might argue that the surveillance fails a reasonable cost-benefit analysis, but that differs from the usual argument made, that the surveillance, along with the capability to do it at all, is intrinsically illegitimate.
- Review This is why we CAN have nice things: Samsung Galaxy Alpha
- Hey, YouTube lovers! How about you pay us, we start paying for STUFF? - Google
- MEN: For pity's sake SLEEP with LOTS of WOMEN - and avoid Prostate Cancer
- Vid BONFIRE of the MEGA-BUCKS: $200m+ BURNED in SECONDS in Antares launch blast
- Tim Cook: The classic iPod HAD to DIE, and this is WHY