* Posts by tom dial

1071 posts • joined 16 Jan 2011

Page:

Chat about Safe Harbour all you like, the NSA's still the stumbling block

tom dial
Bronze badge

Re: NSA is the problem

Is there evidence that NSA has greater access to data resident in the US than that resident elsewhere? The procedures used would differ somewhat, but access to foreign data stored in the US may require legal process that may not be needed to access it in some other locations where NSA has the authority under US law to obtain it directly without troubling to make a request.

0
0

Automattic says spooks asked for something it can't reveal

tom dial
Bronze badge

Re: So, up to 125 then

"None", as Automattic reports for 2014 and the first half of 2015, would appear to be 0, as does the sentence following their table: "We are pleased to report that we received no National Security Requests during 2014 or so far in 2015."

Rounding does not apply, and a positive number of requests less than half of 249 could not truthfully be shown as 0. Showing "0 - 249" for the first half of 2013 suggests there was at least one, and if they are being truthful, there were no more than 249.

4
0

How British spies really spy: Information that didn't come from Snowden

tom dial
Bronze badge

Re: Why are they not more often in the news ?

The arrests probably were in the news, along with arrests for a variety of offences where the police did not use intercepted electronic communication as part of the basis. It would be rare that communication interception brought an arrest, and a bit rarer still that it would be attributed to GCHQ surveillance given their known inclination to remain in the background.

The NSA were said plausibly to have passed information from intercepts to the US DEA and were criticised severely despite the likelihood that both the intercepts and their transmittal to DEA were of a kind authorized explicitly in the US Code.

1
0

Facebook fails to block NY DA's fat warrants for profiles of suspected September 11 fraudsters

tom dial
Bronze badge

To describe the result somewhat differently, there seems to be exactly the same possibility to challenge a warrant for data before execution as there is, and has been, to challenge a warrant to search your house, car, or office. And I wonder if that might not be the case in quite a few places other than the US, to the extent that the question has been brought to a court and settled.

As the court and article noted, the defendants are entitled to challenge the warrants after the fact and, if successful, suppress any evidence they revealed. And nothing prevents legislatures establishing additional constraints for the future, if they wish.

1
1

The Ruskies are coming for you, NSA director tells City bankers

tom dial
Bronze badge

Re: secure?

The Arpanet was designed to be resilient in the face of physical disruption, but not particularly to protect the content of communication it was used to transfer. The goal was to ensure deliverability. For data protection there were, and are, other measures like encryption that go back centuries in time, as do the problems with ensuring message integrity and privacy. Both goals have associated difficulties.

1
0

Bloke thrown in the clink for hacking SIXTY PER CENT of Americans

tom dial
Bronze badge

Re: Not under THIS...

This is not China; we have no great firewall. It is doubtful that the Constitution grants it the authority to enact laws that compel businesses or individuals to administer their systems in a secure way; and if they do, there is no way they have the resources to enforce such laws. As noted, they do not have the effective power to make their Secretary of State or OPM director to do that.

It would be interesting to see a presentation of the theory under which the federal government is responsible to "even begin to protect the digital assets of the US" other than those of federal agencies. The administration has argued that it should, but his was met with considerable pushback from many who were concerned about giving the government too much power - many of them now, doubtless, seriously agitated about the NSA and its activities.

They can, and do, sponsor various activities and organizations such as MITRE and CERT, but in many respects the internet and its connected systems are not fundamentally more secure than they were in November, 1988 - much depends on the diligence of the system and network administrators; some are competent and motivated to secure their systems, but all too many are lazy, incompetent, and do not care much beyond doing the minimum to ensure continuation of their regular paychecks.

2
4

Citizenfour director Laura Poitras sues US for years of border security harassment

tom dial
Bronze badge

Re: Thou shalt not...

The claimed harassment had nothing at all to do with Edward Snowden, as all of it occurred well before any of us, including Ms. Poitras, had heard of him. The runaround on the FOIA requests might relate to that, however, or it might relate to a combination of incompetence and intransigence on the part of some of the agencies in handling such requests. ODNI appears likely to have given Ms. Poitras a standard response to any FOIA request for material that is either sensitive or potentially embarrassing: they denied it on the basis that the fact of its existence or nonexistence was classified as related to intelligence sources and methods. The DoJ, on the other hand, denied release of the 6 pages they or the FBI admitted having found as a matter involving grand jury secrecy. Other agencies seem at most to have gone through the motions minimally and hoped the FOIA requests would go away.

2
0

Google makes new hires ONE pay offer. 'Negotiation'? What's that?

tom dial
Bronze badge

Re: A very Google solution

In the US government, which employs far more people than Google, offers are entirely algorithm based and in not negotiable at the entry level: generally General Schedule grade and step. Relocation may or may not be paid, depending on the announcement. Mid-level and senior hires may have some wiggle room to negotiate, as probably also is the case with Google.*

I expect a great many companies with staffing large enough to justify a separate HR organization have algorithms to constrain compensation for legal compliance reasons. Without a substantial survey it is not clear to what degree Google is exceptional in its rigidity.

* The US DoD switched for several years from the General Schedule to a "National Security Personnel System" that set up a small number of overlapping pay bands and gave supervisors and managers considerable flexibility in determining employee salary. After three or four years they went back to the old General Schedule.

0
0

Attention dunderheads: Taxpayers are NOT giving businesses £93bn

tom dial
Bronze badge

Re: The majority of UK Tax burden is not being paid by companies...(Hollywood Accounting Method)

The studios make a profit on the services they sell to the independent entities that produce the film. The (natural person) partners of the producing entity collect salaries or purchase the bonds of the producint entity. Simple bookkeeping takes care of ensuring there is no "profit". While this is partly made up on the spot, and the actual structures in use surely are more subtle and complex, it is clear that rivers of cash do not imply a profit.

0
1
tom dial
Bronze badge

Re: So how didn't he get it?

It has been popular here in the US for some years to state as fact that anything the government does not take in taxes constitutes a government "tax expenditure". Thus, the dependent exemption on the personal income tax form, or the mortgage tax exemption is transformed into a "tax expenditure", especially when the deduction claimant has above-median income. This is the stuff of the Guardian article.

1
0
tom dial
Bronze badge

Re: The Truth of the Matter is this...

It would seem that the Greek problem is that they never managed to reach a primary surplus or put forward a remotely plausible plan to do so,. That would lead naturally to the conclusion that they could not repay any amount of debt in a finite number of years, something that quite understandably concerned their debtors. The reason for failure, whether government giveaways, tax fraud, or other corruption, appears to a first approximation quite immaterial.

2
1

US OPM boss quits after hackers stole chapter and verse on 21.5m Americans' lives

tom dial
Bronze badge

Re: Nice pension

As noted, the paper SF-86 has been replaced by an application served from OPM. That is not a reason to for the database containing the data to be on a network attached to the internet. At my former agency (not OPM) we were exceedingly careful about Personally Identifiable Information leaks; this is the mother all PII compromises.

1
0
tom dial
Bronze badge

"if you ever filed for a security clearance..."

I expect not. OPM was quite a bit behind in digitizing old documents, probably including the security clearance questionnaires and any information collected during background investigations. From 2003 or so the SF-86 form was a filled PDF served by OPM, and I think the background investigation data was set up similarly; those surely are gone. SF-86 before then and other similar forms such as the SF-85p may still exist only on paper. Newer ones and the related background investigation data probably were digitized as received and older ones would have been done as time and other resources allowed; some of those may not be gone, but the more recent ones that matter the most probably are. The backfile conversion data may be scanner output files, a bit more difficult or costly to use than the recent SF-86 data.

OPM may never know enough detail about it to be sure, but over time will come pretty close. There is likely to be uncertainty about the status of those in process during the breach period, whether new or backfile conversion. Similar considerations probably apply to other types of clearance processing, for example National Agency Checks and National Agency Checks with Inquiries. OPM probably will notify everyone whose information cannot be shown never to have been digitized.

0
0

Crap crypto crackdown coming as FBI boss testifies to US Congress

tom dial
Bronze badge

"Could those who devised the Fourth Amendment really conceive of a device that could store every piece of information about you and every communication and that could not only store that information but catalogue it, index it, search it, cross-reference it, copy it and display it, and could do so taking up no more space than satchel?"

Probably not, but they would not have hesitated to say that a government search of such a device would require a warrant issued "upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched and the ... things to be seized." And they almost surely would have said the same about communications passed between two such devices.

0
0
tom dial
Bronze badge

In fairness, Comey and others taking essentially the same position are not requesting anything at variance with the US Constitution or later Supreme Court decisions concerning search and seizure or privacy. They are asking for development of a technical capability that will allow them to execute properly issued search warrants for data that may be encrypted, as they can for data in tangible form that is in a locked building or file cabinet.

The counterarguments now do not differ much from those of a couple of decades ago against use of the Clipper and Capstone chip implemented systems, Schneier summarized them decently in 1996. It would be difficult to implement such a system, although the Clipper and Capstone implementation weaknesses do not prove impossibility; in practical terms it would be impossible to enforce against those of most concern; and it would expose everyone to compromise of the escrow database. So, as was true then, we should not bother. Law enforcement officials sometimes will be stymied by use of encryption and have to attain their goals without the encrypted information.

1
2
tom dial
Bronze badge

Political Theater

At least I think so. It seems quite unlikely that the US Congress, most members of which are functionally clueless about the matter, would pass legislation criminalizing use of encryption by private citizens or limiting the algorithms and protocols they are allowed to use. They also probably are quite smart enough to realize that such a law, if enacted, will at most allow police to harass those who choose to ignore it, as the criminals, terrorists, and citizens engaged in legal activity but annoyed by such cheek will do; as I shall do.

In the end the law enforcement officials will have to rely on courts to issue warrants and cooperation of the recipients of such warrants subject, possibly, to punishment for contempt of court or prosecution for obstructing an investigation.

1
0

How a Cali court ruling could force a complete rethink of search results

tom dial
Bronze badge

As the staff in a brick and mortar jewelry store surely would do.

Those who search on Amazon should expect to see results for products that Amazon or its vendors can supply. Sellers who decline to sell through Amazon are a bit cheeky to go to court and demand that Amazon, whose business is selling products, show nothing at all that doesn't match their brand. Those who do sell through Amazon can reasonably expect Amazon to requested results for their product ahead of results for similar and possibly substitutable products, but have no reason to expect Amazon to exclude others unless Amazon, possibly for a price, agreed to do so.

4
9

Argentina finds messenger to shoot after e-vote vuln allegations

tom dial
Bronze badge

Evoting = bad

I cannot upvote this enough times. The notion that we need the election results by the 10PM or 11PM TV news report seems to be one driver of this electronic voting rubbish, along with probably untrue claims of money to be saved by the use of electronic vote recording and counting machines.

The requirement is not that the outcome of an election be reported quickly (Senator Al Franken's first election to the US Senate was not decided until six months into his first term). The true requirement is that it be determined by procedures that are uncomplicated, transparent enough that nearly every voter can understand them and those with an interest can see that it is being carried out without obvious fraud (or that attempted fraud is reasonably easy to detect), and auditable for recount purposes. While it also should be reasonably efficient, many or most of the costs occur no more than once a year, and nearly all less often; in any case, it is likely that even neglecting capital and machine maintenance expenditures, electronic voting or vote counting equipment costs at least as much as administering and counting paper ballots.

2
0

China hacks 'everything that doesn't move' says Hilary Clinton

tom dial
Bronze badge

It is quite incorrect to suppose that the Chinese, Russians, Japanese, French, Germans, and others do not engage in signals intelligence to the full extent of their capabilities and interests. Hacking the internet and internet attache devices is a quite natural extension of signals intelligence activities targeting radio and wireline telecommunications that significant international actors have engaged in for at least the last 75 years. And those signals intelligence activities extend and supplement intelligence activities that go back for at least three or four centuries more to the earliest days of anything that could reasonably be considered a nation-state.

Ms. Clinton's reported statements suggest that she is either naive about the way governments behave or has judged rather cynically, but probably correctly, that US voters are clueless about that.

5
1

Assange™'s emotional plea for asylum in France rejected

tom dial
Bronze badge

Re: Even if..

And one is left to wonder whether, once caught, the French government would be silly enough to grant bail at any price.

3
0

As the US realises it's been PWNED, when will OPM heads roll?

tom dial
Bronze badge

Re: @tom dial

I never have been a fan of punishing those not shown to be guilty. It may please congressmen to demand resignations, and it may resonate with those they hope will reelect them, but there is no evidence that doing so will improve OPM IT operations, which seem to have been inexcusably sloppy for quite a few years before the present managers took up their positions. The damage is largely done and unrecoverable and firing those now trying to fix the underlying problems is more likely to do harm than good.

0
0
tom dial
Bronze badge

Re: Peter principle

The head of a major federal (or state) agency like OPM is largely or even primarily a go-between - between the political masters in the executive and legislative branches and those in the agency, mostly senior civil servants with quite a lot of experience, some of it often both good and applicable to the cases at hand. They are not expected to engage much in day to day management, nor should they. They instead convey political and major policy direction to those who do, and advocate for the agency and its mission to executive branch personnel at the cabinet level and to congressional committees and their staffs. They spend the great majority of their time in meetings, much of it outside the agency. Agency directors are more likely in a well-run agency to get in trouble by intervening in operations than by doing their primary, political, job and letting the permanent civil service staff care for the details of policy implementation and daily operations Conversely, in a not-so-well run agency, the director can do little more to effect change than reassign personnel.

My sense is that in IT matters, OPM had been a mess for some time, and reassignment of the previous CIO (by the previous director) with no immediate replacement probably indicated that OPM management, their superiors in the executive branch, and their congressional overseers knew it. Archuleta took office eight months later, and appointed Seymour a few months later, by which time OPM had an acting CIO for eight or nine months and probably continuied to drift along whatever path led to removal of the prior CIO. To assign major blame to either or both of them is largely misplaced, and dismissing them as likely to perpetuate the damage as correct it.

1
0
tom dial
Bronze badge

Re: Bah!

OPM management requested money and billet authorization over the years based on needs they identified in the budget request process. They never got everything they wished for (with probability not measurably different from 1.0). Yet the reports have it that they added systems without making them secure (and perhaps without knowing where and how they were attached) and reportedly let maintenance slip rather badly, which many might think unwise. The right question of OPM is not whether they received the resources they requested, but how they managed IT with what they received.

In the (DoD) agency where I worked, we received annual reductions in both money and billets, but over the years security was gradually and regularly tightened, systems were inventoried, the network maps timely maintained and an increasingly detailed set of security requirements were applied retroactively as well as prospectively. The retro part sometimes was not fully up to date, but existing systems were patched and new ones were compliant with security configuration requirements before being attached to the LAN. The firewalls were quite exclusionary, to the point of irritating developers excluded from consulting external technical web sites classified as "chat". BYOD was not discussed, remote access was by VPN using government owned and maintained equipment only, and (courtesy of the DoD PKI program) two factor authentication was the only way of access other than at system consoles. Development sometimes suffered from this. All that was as directed by the CIO and his director of security, with full support of the agency directors. And that, I think, made a difference, as successful known penetrations were not known to have occurred as of about three years ago.

1
0
tom dial
Bronze badge

It appears that OPM's IT managers have been on indoor annual leave for years. Reports say the OPM doesn't know the systems they have, or how they are connected, and have not done regular patching on some, many, or all of them. If I were updating my resume it would be a tough choice whether to show recent employment there or pretend to have been unemployed since being fired for cause at my previous job.

They almost certainly have been squeezed for resources, but that is not a fully satisfactory excuse for getting priorities so out of whack. I think the risk of losing control of this data, even the SF86 information, has been overstated. However, I can guess that management in pretty much every agency that has employees in sensitive positions is pretty pissed, partly because most of them hunkered down and managed to map their networks and patch their systems on a fairly regular basis under much the same resource constraints.

0
0
tom dial
Bronze badge

Katherine Archuleta took office at OPM in October, 2013 - not all that long ago in the context of OPM's IT management troubles. The previous director reassigned then-CIO Matthew Perry in February, 2013, and Donna Seymour was not appointed to the CIO vacancy December, 2013. Nine months is rather long for such a vacancy to remain unfilled, likely due to concurrent lack of a "permanent" director. My experience is that acting agency directors are slow to fill executive vacancies unless they are almost certain to be selected for the top position, something that is quite unlikely when that is a political appointment and the acting director is a civil service employee. Temporary executives like the acting OPM CIO also have a tendency to allow things to drift; that would have aggravated an already bad situation.

Archuleta did not come from an IT background and IT is not a primary OPM mission. There is no reason to think she would, on her own, realize the mess she had on her hands until informed by her CIO. Seymour probably arrived for duty in January, 2014, and likely would have required some time to become aware of it, and that appears to be close to the time when the penetration began to take root and begin exfiltration of data. And both of them would have had quite a few other matters to deal with. January is four months into the fiscal year, and planning for end of FY expenditure management normally will be starting. Major changes to planned activities are difficult for upper management to undertake for the current year, especially if they are comparatively new on the job and not yet familiar with who on the staff can, and who cannot, execute. It also is well into the planning year for the following fiscal years and late to be making major reallocations.

As a retiree whose personal information, including SF86, appears to have been taken, I am not at all pleased with this, but also am not inclined to jump on the bandwagon and demand that these two be sacked. Unless they can be shown to be as feckless as their predecessors (and their predecessors' placeholders) it is far from clear that replacing them would do more than extend the disorder and delay correction of the underlying IT management problems. It might be beneficial to insist that they obtain assistance from outside the agency to assist them in evaluating and correcting the situation. Given Ms. Seymour's employment history with DoD, which runs a much tighter operation than what has been reported of OPM, it would be unsurprising if OPM already had done so.

2
0
tom dial
Bronze badge

The OPM operates web applications for federal civil service retiree support, for applicants for federal employment, for completion of security background investigation requests (these are no longer done in paper form), and for at least one other federal agency. In the main, this is a result of an "eGovernment" undertaking begun (I think) under President Bush and continued under President Obama.

0
0
tom dial
Bronze badge

Re: Peter principle

Like all of the major department and agency directors, Katherine Archuleta is a political appointee. That said, there is no reason that a political appointee, if supported by competent and experienced civil service executives, cannot be quite successful as director. The problem in this case appears to be that the civil service executives had, for years, been inadequate in IT management matters.

3
0

GCHQ: Security software? We'll soon see about THAT

tom dial
Bronze badge

What springs first to my mind

is that McAfee may be thought of by others much as I think of it - a black hole for CPU cycles that drains the life out of a PC. When the agency I worked for installed it we figured out in short order that tolerable performance could be had only with a multi core CPU and plenty of memory. Some applications (Oracle development tools, as I recall) took over half an hour to start up unless they were "trusted" and excluded from the scan.

Then again, maybe the agencies have an in with some manufacturers, or the design of the products is such as to make reverse engineering unnecessary.

2
0

Open-source Linux doesn't pay, said no one ever at Red Hat

tom dial
Bronze badge

Re: Even if it doesn't pay.

As I see it, the good of systemd is that I can reboot in a small number of seconds, and the bad is that I seem to have to do it at least ten times as often, for something like a wash, except that I need to learn a new way to do things that were quite straightforward with the sysv bucket of mostly fairly simple shell scripts.

2
0

'No evidence' Snowden was working for foreign power says ex-NSA boss

tom dial
Bronze badge

Re: Remind me again...

In the case of the OPM, the primary responsibility belonged to the OPM directo, her CIO and those who work for them implementing and maintaining systems and networks.

1
0

Chrome, Debian Linux, and the secret binary blob download riddle

tom dial
Bronze badge

Re: Ban Hammer

No. Some people like chromium, and others may or may not like it but are unwilling to restrict those who do. As a blob, the software in question obviously is incompatible with Debian Free Software Guidelines and should not be included in the main repository. If Chromium downloads and installs it automatically and by default, it arguably also fails the DFSG test and should be downgraded to the non-free or contributed software repositories, but still be available to those who want to install it but do not want to add non-Debian repositories.

The reported fix, that Chromium will not download the offending module without specific user action, is a suitable alternative that preserves users' freedom while offering reasonable protection against what can be viewed reasonably as inappropriate behavior of the module. A security announcement, and distribution of the correction through the security repository, would be best to ensure the widest distribution.

0
0
tom dial
Bronze badge

Demotion time?

If Chromium is to download binaries for which free source is unavailable, it would seem reasonable to remove it from the main repository to non-free. It should be available for those of us who wish it, but easily excludable by those who are more picky about free software or object to what chromium might do.

19
0

Google on Google: The carefully collated anti-trust truth

tom dial
Bronze badge

Things I like to watch out for in presentations

1. Charts that don't show one or more of the scale units.

2. Charts and tables that show percentages, and especially change percentages, but not the base numbers/units used to compute them.

4
0
tom dial
Bronze badge

Re: Free services are not free

The technical term for what Foundem and others are doing is "rent seeking" - the expenditure of resources in order to bring about an uncompensated transfer of goods or services from another person or persons to one's self as the result of a “favorable” decision on some public policy.

(www.auburn.edu/~johnspm/gloss/rent-seeking_behavior)

2
1

'Snowden risked lives' fearfest story prompts sceptical sneers

tom dial
Bronze badge

Re: So...

With decently implemented encryption systems and reasonable key sizes, the efficient way to access specific encrypted material is to obtain the key from someone who has it and apply it. Back doors, escrowed keys, and encryption system or protocol attacks are for other use cases.

For law enforcement purposes, search warrants, subpoenas, and contempt of court punishments ought to be enough, or more than enough, for nearly all cases.

0
0
tom dial
Bronze badge

Re: Has anyone seen...

The New York Times (June 15) and the Washington Post (June 12) also covered it.

2
0

'Logjam' crypto bug could be how the NSA cracked VPNs

tom dial
Bronze badge

Re: What is unbelievable..

If "FIPS Compliant" means what it appears (and ought) the US government (a) certainly is not pushing weak encryption and (b) forbids its use by any federal agency. Any statement to the contrary requires strong evidence.

One wonders, though, how many federal agencies (e. g., OPM, Department of State, White House) actually are FIPS compliant with respect to any of the FIPS publications. It is not terribly difficult technically, but quite a chore given that in most agencies IT is not part of the primary mission and accordingly tends to be sqeezed for staffing and budge and outsourced to low bidding contractors.

0
0

Google – you DO control your search results, thunders Canadian court

tom dial
Bronze badge

Re: Dissembling

Some people might think there is a difference between taking money for posting ads, like the YP do, and also Google, although not, apparently for Datalink, and what Google apparently is being ordered to stop, responding to a search engine query. Very few would think compelling them to remove paid ads from a fraudster, but telling them to remove non-advertisement search results is bothersome to US First Amendment supporters like me.

2
0

Confusion reigns as Bundestag malware clean-up staggers on

tom dial
Bronze badge

Re: Do you know how much this costs

Or might that not be secure off site compromised backups? How would you know they don't contain the attack, all ready for reactivation at first boot?

The nearest thing to secure probably is a really old system with no peripheral equipment later than IDE, no HDD containing software (not clear how that can be enforced, though) and certainly no FDD or USB capability. Overall, not a particularly satisfactory solution.

1
0

Screw you, ISPs: Net neutrality switches on THIS FRIDAY – US court

tom dial
Bronze badge

Re: Ajit Pai Opined ...

Just as Tom Wheeler's previous employment as President of the National Cable & Telecommunications Association and CEO of the Cellular Telecommunications & Internet Association must have warped his judgment in is present employment as FCC Chairman.

Mr. Pai seems to have held public sector jobs, many of which involved representing the government's position on telecommunication issues, for about 15 of the 18 years since he graduated from law school. About five of them were with the FCC, as against a bit over two years - from 2001 to 2003 - that he spent at Verizon.

Lawyers represent their clients, and Mr. Pai presumably did so at Verizon, the FCC, and other government organizations. There is no more reason to think he supported their position out of personal conviction than there is to think Irving Kanarek defended Charles Manson or Jimmy Lee Smith because he thought they were innocent. Like Wheeler and the other commissioners, he was nominated by the President with some knowledge of his opinions and judgments about what the FCC should do, and confirmed by the Senate based on general knowledge of that.

1
2

If hackers can spy on you all then so should we – US Senator logic

tom dial
Bronze badge

It appears that almost nobody who felt a compulsion to comment on this took the trouble to read the summary, let alone the full text, of Senator Burr's bill, which appears to have two basic purposes. The first requires the federal government to share knowledge with other governments and the private sector about computer security threats and contains explicit requirements to remove personal and personally identifying information from the shared material (with an exception). The second is to allow(but not compel) other government and private entities to share such information with the federal government for specific purposes related to ensuring and improving computer security. It does not appear to allow monitoring or surveillance that is not probably legal now under contract law, although it makes it explicit and allows businesses to collaborate to a degree on information security without risking antitrust action, and offers protection for proprietary information in the form of exemption from Freedom of Information Act release. It also allows government use of the information for specified law enforcement and other purposes, including, one supposes, by the FBI and NSA to identify and attempt to interdict ongoing threats.

The bill has some vagueness and parts might be improved, including at least the following.

- clarification of the "person not directly related to a cybersecurity threat" whose identifying and other information is not required to be removed from data the Federal Government shares;

- an explicit requirement that personal and person identifying information be removed by those submitting threat information to the Federal Government; as the bill stands, this is left for the Attorney General to define in required guidelines;

- potential use of the collected threat information to inform development and implementation of information system regulations, better left out of this bill and put into any later legislation aimed at information security regulation;

- the bill incorporates part of a document "National Strategy for Trusted Identities in Cyberspace" that the President issued in 2011 that I thought a bit troublesome then and probably still would.

Senator Wyden and others no doubt will address these and other areas with amendments.

This bill probably should be severed from the National Defense Authorization Act. Its subject is important enough, and it has enough potential and actual problems that it would be better considered separately. In addition, the governments and private entities have plenty of other information assurance work to do before lack of threat information sharing becomes a significant impediment. It is not, however, the product of a seriously deranged would-be tyrant, as some might have it.

-

1
0

Decrypted WhatsApp chats laid groundwork for Belgian terror raids

tom dial
Bronze badge

Re: Should we assume a warrant was in place for this?

Well, one of NSA's two primary missions involves making and breaking codes. One might reasonably think they would assist in such matters. In view of the nature of the targets in this instance, their assistance probably would not depend on who collected the encrypted material.

1
1

Forget black helicopters, FBI flying surveillance Cessnas over US cities. Warrant? What's that?

tom dial
Bronze badge

Re: So what's new?

I completely agree about civil forfeiture. Given the well known fact that any US currency that has circulate has traces of cocaine, it is obvious that it allows the government to seize currency at will. I do not understand how it constitutes due process under the fifth amendment. I will continue to disagree that police presence at a public demonstration, including airborne surveillance, necessarily constitutes oppression or even tracking. First I've heard of kettling, though; it appears police crowd control tactics don't vary much across national borders.

0
0
tom dial
Bronze badge

Re: @I've forgotten what I wanted to say...

Indeed so. A decisive majority of many commentariats seems to be innumerate when the subject is related to crime, policing, or national security. They also appear to have forgotten why government is needed, and that the Declaration of Independence and Bill of Rights are not alone a complete description of its purpose and function.

0
0
tom dial
Bronze badge

Re: So what's new?

"What isn't allowed is plotting to use violence to do so." Precisely the point of my statement.

Despite all too frequent police and prosecutor misbehavior, there is no meaningful evidence that the US government or any part of it, or any subordinate government, is trying in an organized way to keep people from assembling to discuss, advocate for, or plan change to either the structure or the staffing of any government under the US Constitution - as long as their proposed methods are lawful. That said, it also must be said that advocates of change cannot assume their efforts will be unopposed, and they can and should anticipate pushback from other political parties and government officials they mean to replace. The opposition may sometimes exceed what the law allows. The more radical the proposed change, the more careful and circumspect they should be, and not only or even mostly out of concern for government interference. Airborne surveillance of the Baltimore riots was not "suppression" and that almost certainly is the case with other instances of FBI surveillance that recently have been in the news, just as it probably is for the RCMP's fleet of aircraft.

0
0
tom dial
Bronze badge

Re: So what's new?

People do, indeed, have a right to protest; they do not have the right to riot. Contrary to a later assertion, they also do not have a right under the US Constitution to assemble to change the regime or remove particular people from office; for that we have procedures to amend the Constitution, elections, and legal processes. Whether the people have a natural right to change the regime is another matter, rather more interesting and complicated.

Mass surveillance in the form of a circling plane bearing a camera or observer does not infringe the protesters' first amendment rights any more than the presence of police on the ground. It does not even remotely approach a fourth amendment search or seizure. It carries no presumption that anyone is breaking a law or suspected of it, and certainly does not touch on anything mentioned in the fifth amendment. Nothing about it represents unequal application of the law (that would be the fourteenth amendment). And it has nothing at all to do with the NSA (it seems to have been an FBI plane). It is a reasonable and unintrusive way for those responsible for protecting people and property to learn of trouble spots and perhaps manage the response.

I would have hoped any response would be more reasoned.

0
0
tom dial
Bronze badge

Re: So what's new?

So you are against use of any method that has the capability to put in view anyone other than a specific target whom they have good reason to suspect is a significant threat, and any surveillance not associated with identified suspects (of criminal activity)? That seems quite unreasonable. The example of Baltimore a few weeks back suggests that general - i. e. "mass" - surveillance may be quite reasonable. In that case there was good reason to suspect that there might be trouble somewhere in a fairly large area, quite possibly caused by random accidental events like an altercation unrelated to the gathering - i. e., no known or identified suspects. In addition, the activity was of a type that is protected by the First Amendment. Law officers are responsible for maintaining order and protecting people and property generally. Should they be prohibited use methods like aerial surveillance, whether by drones or piloted aircraft, to identify places where disorder may be putting either at risk? Why?

State government highway patrols have used planes (mostly Cessnas, I think) to enforce traffic laws and manage traffic problems on major highways for at least thirty or forty years. The probably have used it on occasion for other purposes as well. This mass surveillance seems not to have produced much griping except by those ticketed for violations, this despite the fact that at least the traffic enforcement aspect involved people under no suspicion.

3
3

Hackers steal files on 4 million US govt workers

tom dial
Bronze badge

Re: NSA too busy reading facebook posts

NSA presently is being savaged by the Intercept, the New York TImes, and ProPublica for daring to suggest (probably at the direction of their DoD management chain) that they might be able to contribute something in this area. A principal problem, apparently, is that they might capture Americans' data (some of it their own in this case) while it was being exfiltrated. The articles (at least ProPublica and NYT) indicate the requested permission was denied.

1
1

Facebook flings PGP-encrypted email at world+dog. Don't lose your private key

tom dial
Bronze badge

Re: Security from whom?

"However, nothing stops Facebook technically from sending a copy of the cleartext prior to encryption to a third party."

Exactly as is the case now. The difference is that the message will be hidden from the large number people and organizations who previously could view it while in transit, only one of them being the NSA. And someone who has your public key is not better off in being able to read the message than someone who does not.

1
0

Page:

Forums