* Posts by tom dial

1050 posts • joined 16 Jan 2011

Page:

As the US realises it's been PWNED, when will OPM heads roll?

tom dial
Bronze badge

Re: @tom dial

I never have been a fan of punishing those not shown to be guilty. It may please congressmen to demand resignations, and it may resonate with those they hope will reelect them, but there is no evidence that doing so will improve OPM IT operations, which seem to have been inexcusably sloppy for quite a few years before the present managers took up their positions. The damage is largely done and unrecoverable and firing those now trying to fix the underlying problems is more likely to do harm than good.

0
0
tom dial
Bronze badge

Re: Peter principle

The head of a major federal (or state) agency like OPM is largely or even primarily a go-between - between the political masters in the executive and legislative branches and those in the agency, mostly senior civil servants with quite a lot of experience, some of it often both good and applicable to the cases at hand. They are not expected to engage much in day to day management, nor should they. They instead convey political and major policy direction to those who do, and advocate for the agency and its mission to executive branch personnel at the cabinet level and to congressional committees and their staffs. They spend the great majority of their time in meetings, much of it outside the agency. Agency directors are more likely in a well-run agency to get in trouble by intervening in operations than by doing their primary, political, job and letting the permanent civil service staff care for the details of policy implementation and daily operations Conversely, in a not-so-well run agency, the director can do little more to effect change than reassign personnel.

My sense is that in IT matters, OPM had been a mess for some time, and reassignment of the previous CIO (by the previous director) with no immediate replacement probably indicated that OPM management, their superiors in the executive branch, and their congressional overseers knew it. Archuleta took office eight months later, and appointed Seymour a few months later, by which time OPM had an acting CIO for eight or nine months and probably continuied to drift along whatever path led to removal of the prior CIO. To assign major blame to either or both of them is largely misplaced, and dismissing them as likely to perpetuate the damage as correct it.

1
0
tom dial
Bronze badge

Re: Bah!

OPM management requested money and billet authorization over the years based on needs they identified in the budget request process. They never got everything they wished for (with probability not measurably different from 1.0). Yet the reports have it that they added systems without making them secure (and perhaps without knowing where and how they were attached) and reportedly let maintenance slip rather badly, which many might think unwise. The right question of OPM is not whether they received the resources they requested, but how they managed IT with what they received.

In the (DoD) agency where I worked, we received annual reductions in both money and billets, but over the years security was gradually and regularly tightened, systems were inventoried, the network maps timely maintained and an increasingly detailed set of security requirements were applied retroactively as well as prospectively. The retro part sometimes was not fully up to date, but existing systems were patched and new ones were compliant with security configuration requirements before being attached to the LAN. The firewalls were quite exclusionary, to the point of irritating developers excluded from consulting external technical web sites classified as "chat". BYOD was not discussed, remote access was by VPN using government owned and maintained equipment only, and (courtesy of the DoD PKI program) two factor authentication was the only way of access other than at system consoles. Development sometimes suffered from this. All that was as directed by the CIO and his director of security, with full support of the agency directors. And that, I think, made a difference, as successful known penetrations were not known to have occurred as of about three years ago.

1
0
tom dial
Bronze badge

It appears that OPM's IT managers have been on indoor annual leave for years. Reports say the OPM doesn't know the systems they have, or how they are connected, and have not done regular patching on some, many, or all of them. If I were updating my resume it would be a tough choice whether to show recent employment there or pretend to have been unemployed since being fired for cause at my previous job.

They almost certainly have been squeezed for resources, but that is not a fully satisfactory excuse for getting priorities so out of whack. I think the risk of losing control of this data, even the SF86 information, has been overstated. However, I can guess that management in pretty much every agency that has employees in sensitive positions is pretty pissed, partly because most of them hunkered down and managed to map their networks and patch their systems on a fairly regular basis under much the same resource constraints.

0
0
tom dial
Bronze badge

Katherine Archuleta took office at OPM in October, 2013 - not all that long ago in the context of OPM's IT management troubles. The previous director reassigned then-CIO Matthew Perry in February, 2013, and Donna Seymour was not appointed to the CIO vacancy December, 2013. Nine months is rather long for such a vacancy to remain unfilled, likely due to concurrent lack of a "permanent" director. My experience is that acting agency directors are slow to fill executive vacancies unless they are almost certain to be selected for the top position, something that is quite unlikely when that is a political appointment and the acting director is a civil service employee. Temporary executives like the acting OPM CIO also have a tendency to allow things to drift; that would have aggravated an already bad situation.

Archuleta did not come from an IT background and IT is not a primary OPM mission. There is no reason to think she would, on her own, realize the mess she had on her hands until informed by her CIO. Seymour probably arrived for duty in January, 2014, and likely would have required some time to become aware of it, and that appears to be close to the time when the penetration began to take root and begin exfiltration of data. And both of them would have had quite a few other matters to deal with. January is four months into the fiscal year, and planning for end of FY expenditure management normally will be starting. Major changes to planned activities are difficult for upper management to undertake for the current year, especially if they are comparatively new on the job and not yet familiar with who on the staff can, and who cannot, execute. It also is well into the planning year for the following fiscal years and late to be making major reallocations.

As a retiree whose personal information, including SF86, appears to have been taken, I am not at all pleased with this, but also am not inclined to jump on the bandwagon and demand that these two be sacked. Unless they can be shown to be as feckless as their predecessors (and their predecessors' placeholders) it is far from clear that replacing them would do more than extend the disorder and delay correction of the underlying IT management problems. It might be beneficial to insist that they obtain assistance from outside the agency to assist them in evaluating and correcting the situation. Given Ms. Seymour's employment history with DoD, which runs a much tighter operation than what has been reported of OPM, it would be unsurprising if OPM already had done so.

2
0
tom dial
Bronze badge

The OPM operates web applications for federal civil service retiree support, for applicants for federal employment, for completion of security background investigation requests (these are no longer done in paper form), and for at least one other federal agency. In the main, this is a result of an "eGovernment" undertaking begun (I think) under President Bush and continued under President Obama.

0
0
tom dial
Bronze badge

Re: Peter principle

Like all of the major department and agency directors, Katherine Archuleta is a political appointee. That said, there is no reason that a political appointee, if supported by competent and experienced civil service executives, cannot be quite successful as director. The problem in this case appears to be that the civil service executives had, for years, been inadequate in IT management matters.

3
0

GCHQ: Security software? We'll soon see about THAT

tom dial
Bronze badge

What springs first to my mind

is that McAfee may be thought of by others much as I think of it - a black hole for CPU cycles that drains the life out of a PC. When the agency I worked for installed it we figured out in short order that tolerable performance could be had only with a multi core CPU and plenty of memory. Some applications (Oracle development tools, as I recall) took over half an hour to start up unless they were "trusted" and excluded from the scan.

Then again, maybe the agencies have an in with some manufacturers, or the design of the products is such as to make reverse engineering unnecessary.

2
0

Open-source Linux doesn't pay, said no one ever at Red Hat

tom dial
Bronze badge

Re: Even if it doesn't pay.

As I see it, the good of systemd is that I can reboot in a small number of seconds, and the bad is that I seem to have to do it at least ten times as often, for something like a wash, except that I need to learn a new way to do things that were quite straightforward with the sysv bucket of mostly fairly simple shell scripts.

2
0

'No evidence' Snowden was working for foreign power says ex-NSA boss

tom dial
Bronze badge

Re: Remind me again...

In the case of the OPM, the primary responsibility belonged to the OPM directo, her CIO and those who work for them implementing and maintaining systems and networks.

1
0

Chrome, Debian Linux, and the secret binary blob download riddle

tom dial
Bronze badge

Re: Ban Hammer

No. Some people like chromium, and others may or may not like it but are unwilling to restrict those who do. As a blob, the software in question obviously is incompatible with Debian Free Software Guidelines and should not be included in the main repository. If Chromium downloads and installs it automatically and by default, it arguably also fails the DFSG test and should be downgraded to the non-free or contributed software repositories, but still be available to those who want to install it but do not want to add non-Debian repositories.

The reported fix, that Chromium will not download the offending module without specific user action, is a suitable alternative that preserves users' freedom while offering reasonable protection against what can be viewed reasonably as inappropriate behavior of the module. A security announcement, and distribution of the correction through the security repository, would be best to ensure the widest distribution.

0
0
tom dial
Bronze badge

Demotion time?

If Chromium is to download binaries for which free source is unavailable, it would seem reasonable to remove it from the main repository to non-free. It should be available for those of us who wish it, but easily excludable by those who are more picky about free software or object to what chromium might do.

19
0

Google on Google: The carefully collated anti-trust truth

tom dial
Bronze badge

Things I like to watch out for in presentations

1. Charts that don't show one or more of the scale units.

2. Charts and tables that show percentages, and especially change percentages, but not the base numbers/units used to compute them.

4
0
tom dial
Bronze badge

Re: Free services are not free

The technical term for what Foundem and others are doing is "rent seeking" - the expenditure of resources in order to bring about an uncompensated transfer of goods or services from another person or persons to one's self as the result of a “favorable” decision on some public policy.

(www.auburn.edu/~johnspm/gloss/rent-seeking_behavior)

2
1

'Snowden risked lives' fearfest story prompts sceptical sneers

tom dial
Bronze badge

Re: So...

With decently implemented encryption systems and reasonable key sizes, the efficient way to access specific encrypted material is to obtain the key from someone who has it and apply it. Back doors, escrowed keys, and encryption system or protocol attacks are for other use cases.

For law enforcement purposes, search warrants, subpoenas, and contempt of court punishments ought to be enough, or more than enough, for nearly all cases.

0
0
tom dial
Bronze badge

Re: Has anyone seen...

The New York Times (June 15) and the Washington Post (June 12) also covered it.

1
0

'Logjam' crypto bug could be how the NSA cracked VPNs

tom dial
Bronze badge

Re: What is unbelievable..

If "FIPS Compliant" means what it appears (and ought) the US government (a) certainly is not pushing weak encryption and (b) forbids its use by any federal agency. Any statement to the contrary requires strong evidence.

One wonders, though, how many federal agencies (e. g., OPM, Department of State, White House) actually are FIPS compliant with respect to any of the FIPS publications. It is not terribly difficult technically, but quite a chore given that in most agencies IT is not part of the primary mission and accordingly tends to be sqeezed for staffing and budge and outsourced to low bidding contractors.

0
0

Google – you DO control your search results, thunders Canadian court

tom dial
Bronze badge

Re: Dissembling

Some people might think there is a difference between taking money for posting ads, like the YP do, and also Google, although not, apparently for Datalink, and what Google apparently is being ordered to stop, responding to a search engine query. Very few would think compelling them to remove paid ads from a fraudster, but telling them to remove non-advertisement search results is bothersome to US First Amendment supporters like me.

1
0

Confusion reigns as Bundestag malware clean-up staggers on

tom dial
Bronze badge

Re: Do you know how much this costs

Or might that not be secure off site compromised backups? How would you know they don't contain the attack, all ready for reactivation at first boot?

The nearest thing to secure probably is a really old system with no peripheral equipment later than IDE, no HDD containing software (not clear how that can be enforced, though) and certainly no FDD or USB capability. Overall, not a particularly satisfactory solution.

1
0

Screw you, ISPs: Net neutrality switches on THIS FRIDAY – US court

tom dial
Bronze badge

Re: Ajit Pai Opined ...

Just as Tom Wheeler's previous employment as President of the National Cable & Telecommunications Association and CEO of the Cellular Telecommunications & Internet Association must have warped his judgment in is present employment as FCC Chairman.

Mr. Pai seems to have held public sector jobs, many of which involved representing the government's position on telecommunication issues, for about 15 of the 18 years since he graduated from law school. About five of them were with the FCC, as against a bit over two years - from 2001 to 2003 - that he spent at Verizon.

Lawyers represent their clients, and Mr. Pai presumably did so at Verizon, the FCC, and other government organizations. There is no more reason to think he supported their position out of personal conviction than there is to think Irving Kanarek defended Charles Manson or Jimmy Lee Smith because he thought they were innocent. Like Wheeler and the other commissioners, he was nominated by the President with some knowledge of his opinions and judgments about what the FCC should do, and confirmed by the Senate based on general knowledge of that.

1
2

If hackers can spy on you all then so should we – US Senator logic

tom dial
Bronze badge

It appears that almost nobody who felt a compulsion to comment on this took the trouble to read the summary, let alone the full text, of Senator Burr's bill, which appears to have two basic purposes. The first requires the federal government to share knowledge with other governments and the private sector about computer security threats and contains explicit requirements to remove personal and personally identifying information from the shared material (with an exception). The second is to allow(but not compel) other government and private entities to share such information with the federal government for specific purposes related to ensuring and improving computer security. It does not appear to allow monitoring or surveillance that is not probably legal now under contract law, although it makes it explicit and allows businesses to collaborate to a degree on information security without risking antitrust action, and offers protection for proprietary information in the form of exemption from Freedom of Information Act release. It also allows government use of the information for specified law enforcement and other purposes, including, one supposes, by the FBI and NSA to identify and attempt to interdict ongoing threats.

The bill has some vagueness and parts might be improved, including at least the following.

- clarification of the "person not directly related to a cybersecurity threat" whose identifying and other information is not required to be removed from data the Federal Government shares;

- an explicit requirement that personal and person identifying information be removed by those submitting threat information to the Federal Government; as the bill stands, this is left for the Attorney General to define in required guidelines;

- potential use of the collected threat information to inform development and implementation of information system regulations, better left out of this bill and put into any later legislation aimed at information security regulation;

- the bill incorporates part of a document "National Strategy for Trusted Identities in Cyberspace" that the President issued in 2011 that I thought a bit troublesome then and probably still would.

Senator Wyden and others no doubt will address these and other areas with amendments.

This bill probably should be severed from the National Defense Authorization Act. Its subject is important enough, and it has enough potential and actual problems that it would be better considered separately. In addition, the governments and private entities have plenty of other information assurance work to do before lack of threat information sharing becomes a significant impediment. It is not, however, the product of a seriously deranged would-be tyrant, as some might have it.

-

1
0

Decrypted WhatsApp chats laid groundwork for Belgian terror raids

tom dial
Bronze badge

Re: Should we assume a warrant was in place for this?

Well, one of NSA's two primary missions involves making and breaking codes. One might reasonably think they would assist in such matters. In view of the nature of the targets in this instance, their assistance probably would not depend on who collected the encrypted material.

1
1

Forget black helicopters, FBI flying surveillance Cessnas over US cities. Warrant? What's that?

tom dial
Bronze badge

Re: So what's new?

I completely agree about civil forfeiture. Given the well known fact that any US currency that has circulate has traces of cocaine, it is obvious that it allows the government to seize currency at will. I do not understand how it constitutes due process under the fifth amendment. I will continue to disagree that police presence at a public demonstration, including airborne surveillance, necessarily constitutes oppression or even tracking. First I've heard of kettling, though; it appears police crowd control tactics don't vary much across national borders.

0
0
tom dial
Bronze badge

Re: @I've forgotten what I wanted to say...

Indeed so. A decisive majority of many commentariats seems to be innumerate when the subject is related to crime, policing, or national security. They also appear to have forgotten why government is needed, and that the Declaration of Independence and Bill of Rights are not alone a complete description of its purpose and function.

0
0
tom dial
Bronze badge

Re: So what's new?

"What isn't allowed is plotting to use violence to do so." Precisely the point of my statement.

Despite all too frequent police and prosecutor misbehavior, there is no meaningful evidence that the US government or any part of it, or any subordinate government, is trying in an organized way to keep people from assembling to discuss, advocate for, or plan change to either the structure or the staffing of any government under the US Constitution - as long as their proposed methods are lawful. That said, it also must be said that advocates of change cannot assume their efforts will be unopposed, and they can and should anticipate pushback from other political parties and government officials they mean to replace. The opposition may sometimes exceed what the law allows. The more radical the proposed change, the more careful and circumspect they should be, and not only or even mostly out of concern for government interference. Airborne surveillance of the Baltimore riots was not "suppression" and that almost certainly is the case with other instances of FBI surveillance that recently have been in the news, just as it probably is for the RCMP's fleet of aircraft.

0
0
tom dial
Bronze badge

Re: So what's new?

People do, indeed, have a right to protest; they do not have the right to riot. Contrary to a later assertion, they also do not have a right under the US Constitution to assemble to change the regime or remove particular people from office; for that we have procedures to amend the Constitution, elections, and legal processes. Whether the people have a natural right to change the regime is another matter, rather more interesting and complicated.

Mass surveillance in the form of a circling plane bearing a camera or observer does not infringe the protesters' first amendment rights any more than the presence of police on the ground. It does not even remotely approach a fourth amendment search or seizure. It carries no presumption that anyone is breaking a law or suspected of it, and certainly does not touch on anything mentioned in the fifth amendment. Nothing about it represents unequal application of the law (that would be the fourteenth amendment). And it has nothing at all to do with the NSA (it seems to have been an FBI plane). It is a reasonable and unintrusive way for those responsible for protecting people and property to learn of trouble spots and perhaps manage the response.

I would have hoped any response would be more reasoned.

0
0
tom dial
Bronze badge

Re: So what's new?

So you are against use of any method that has the capability to put in view anyone other than a specific target whom they have good reason to suspect is a significant threat, and any surveillance not associated with identified suspects (of criminal activity)? That seems quite unreasonable. The example of Baltimore a few weeks back suggests that general - i. e. "mass" - surveillance may be quite reasonable. In that case there was good reason to suspect that there might be trouble somewhere in a fairly large area, quite possibly caused by random accidental events like an altercation unrelated to the gathering - i. e., no known or identified suspects. In addition, the activity was of a type that is protected by the First Amendment. Law officers are responsible for maintaining order and protecting people and property generally. Should they be prohibited use methods like aerial surveillance, whether by drones or piloted aircraft, to identify places where disorder may be putting either at risk? Why?

State government highway patrols have used planes (mostly Cessnas, I think) to enforce traffic laws and manage traffic problems on major highways for at least thirty or forty years. The probably have used it on occasion for other purposes as well. This mass surveillance seems not to have produced much griping except by those ticketed for violations, this despite the fact that at least the traffic enforcement aspect involved people under no suspicion.

3
3

Hackers steal files on 4 million US govt workers

tom dial
Bronze badge

Re: NSA too busy reading facebook posts

NSA presently is being savaged by the Intercept, the New York TImes, and ProPublica for daring to suggest (probably at the direction of their DoD management chain) that they might be able to contribute something in this area. A principal problem, apparently, is that they might capture Americans' data (some of it their own in this case) while it was being exfiltrated. The articles (at least ProPublica and NYT) indicate the requested permission was denied.

1
1

Facebook flings PGP-encrypted email at world+dog. Don't lose your private key

tom dial
Bronze badge

Re: Security from whom?

"However, nothing stops Facebook technically from sending a copy of the cleartext prior to encryption to a third party."

Exactly as is the case now. The difference is that the message will be hidden from the large number people and organizations who previously could view it while in transit, only one of them being the NSA. And someone who has your public key is not better off in being able to read the message than someone who does not.

1
0
tom dial
Bronze badge

Re: Security from whom?

It is a public key, so concern about the government getting it is pretty much misplaced. In fact, if they weren't in cahoots with the likes of Turbo Tax and H&R Block, the IRS would arrange to allow filing of tax returns (and possibly payments as well) by GPG encrypted and authenticated email.

Whether it is better than HTTPS or not is not clear. PGP in general, and OpenPGP in particular, have not had the number of major protocol and implementation flaws reported recently for HTTPS. On the other hand, theire use probably is several orders of magnitude less than HTTPS. But on the third hand, those PGP users, as a group, probably care at least as much and have at least as much technical expertise as do those who deploy HTTPS. Of course both actually implement encryption between endpoints of the message content, the endpoints in the case of Facebook notifications being Facebook and the Facebook account holder.

Have to agree, though, that it is most unclear that this improves journalists' security in the least. Facebook seems a rather poor choice for conducting conversations you would want kept private.

8
0
tom dial
Bronze badge

Works fine also with Enigmail/Chrome, which decrypted the return message and on request cheerfully imported the Facebook public key from the public key server at pgp.mit.edu. I haven't decided yet how much to trust it.

All in all a good thing that might induce a few to care enough about privacy to actually do something.

3
0

Nosy Brit cops demand access to comms data EVERY TWO MINUTES

tom dial
Bronze badge

Re: Have you really checked the numbers?

This article was about the UK, not the US.

However, it is not entirely clear that there is much difference between the bulk metadata collection that the US FISC authorized under the Patriot Act, giving the NSA a database that they searched a few of thousand times a year and what will be allowed under the Freedom Act, assuming it will be passed without substantial change. The data will not be materially more secure, including from misuse by the Agencies, and the number of inquiries almost certainly will increase because analysts will not be able to define queries that do database joins.

One point of similarity between the US and the UK, however, is that in both the overwhelming majority of the inquiries are generated by normal, mostly local, police activity. Extrapolating based on population suggests a number in the US approaching four million over a three year period.

1
0

'I thought we were pals!' Belgium, Netherlands demand answers from Germany in spy bust-up

tom dial
Bronze badge

Re: Is reality starting to settle in?

I truly do not understand why anyone would register a downvote for this clear simple statement of all-but-certain fact that should be obvious to anyone with the ability to enter "signals intelligence agencies" as a (google/bing/yahoo/duckduckgo) search argument. It merits far more than my paltry single upvote.

Not liking the truth is a waste of time.

0
0

Windows and OS X are malware, claims Richard Stallman

tom dial
Bronze badge

I can speak with reasonable knowledge only about US government and politics, but the mechanism here, and I strongly suspect nearly everywhere else, is something like this: Those with much to gain or lose over an issue make it a point to convey their perspective and wishes to those who manage the legal environment; those who are indifferent to the outcome, or stand to gain or lose little, do not. The legislators are beset by large numbers of such supplicants and have schedules chock full of meetings and other more or less obligatory activities. They do not normally have the time for more than superficial thought about the consequences, and their information about issues is biased strongly in favor of the views put forward by those with a big stake, and know implicitly that their vote will not greatly affect their reelection prospects.

The horrid copyright regime we have, that appears to be built into and extended by the TPP, TTIP, and similar agreements, is one example of a great many. It differs from the basic model only in that the proposed laws are being made by the executive branch in the form of treaties. The President's insistence on a straight up or down vote is simply an attempt to make sure the thing doesn't fall apart during the necessary legislative approval process.

Another example is the management of national security law and practice, where until recently the information givers have been aided by the substantially justifiable requirement for secrecy. This unfortunately also enabled companies with a substantial potential stake to finesse the issue and not push objections they might have had. Now that it is more in the open, they are beginning to behave normally and present their commercially motivated views publicly, and through lobbyists to senators and representatives.

An up and coming example is the concern for "infrastructure", presently focused on the railroads after the recent serious accident in New Jersey.

It is not obvious how to correct this fundamental problem, which probably is about equally prevalent everywhere and under all types of regime, although the details will differ.

3
0

NSA bulk phone records slurp to end when law lapses next month – report

tom dial
Bronze badge

Re: They'll still be doing it

They won't: Verizon and the other carriers almost certainly would out them if they were able to get a court order for the phone records, but no court, including the FISC, would issue one after the law expires..

0
2
tom dial
Bronze badge

The telephone metadata included cell phones; Revelation One, as I recall it, was the FISC order to Verizon for business cell phone records.

2
0
tom dial
Bronze badge

Re: Problem is already solved.

That assumes something quite unlikely, that GCHQ has physical access to US telephone metadata, or the ability to compel its delivery to them. The Section 215 metadata program that looks like being terminated is implemented by court orders that compel carriers to deliver call records to the government. It is not a "slurp" in anything like the sense of, say, the XKEYSCORE program, which will continue to be entirely lawful (under US law).

0
0
tom dial
Bronze badge

Re: Nobody says they're violating the law

Correct as to fact, I think, and certainly defensible as to the conclusion. The only thing I would add is that a government executive or legislator desiring reelection normally will be quite concerned about the possibility of being seen as partly responsible for bad events like terrorist attacks. In particular, they would worry about being blamed if it should appear after the fact (but before the next election) that it could have been prevented but for intelligence information missed, due to failure to obtain or insufficient funding or staffing to analyze. As happened in the US after the September 11, 2001 attacks.

The more recent uproar over signals surveillance should give them pause to consider other aspects of policy and law, and may lead to a better balance overall, but it will not entirely suppress the concern that they should be seen to be in favor of public safety.

0
0
tom dial
Bronze badge

Re: Who is really stupid enough to believe this?

While the activities described (in very general terms) may have violated US law, it might also be that it was not. Government agencies may sometimes do lawfully, in international affairs, things forbidden to private sector companies. CIA collection from South African agents of information is unlikely to have violated any US laws, and supplying arms design information and arms for purposes approved by the President might be illegal or not, depending on the details of the arrangements under which it occurred.

0
3
tom dial
Bronze badge

Re: Unfortunately

The documents Edward Snowden caused to be released, additional documents the government later declassified and released, and Executive Order 12333 all generally support a claim that the NSA as an agency and its employees care about and attempt, largely successfully, to follow the law as it exists. That is not to say there are not lapses sucha typographical error that resulted in collection of Washington DC calls in place of Egyptian calls, or cases of individual military or civilian employees targeting spouses or dates. It also is not to say that the agency did not seek, and sometimes obtain, expansive interpretations of the law to support what its management saw as its proper mission, or that they did not seek changes to the law to expand their legal authority. Most of the activities reported, however, are consistent with US law as it is, however much it may differ from what some of us think it ought to be, and were known of in some detail and approved by two executive departments and a properly constituted court. I suspect much the same is true, with differences due to law and customs, of the activities of GCHQ, CSEC, DSD, and GCSB.

It is quite reasonable to believe the laws should be changed, and to advocate for that, but it is not reasonable to believe, based on what we know, that the NSA, and probably the other Five Eyes agencies systematically violate existing laws.

0
1
tom dial
Bronze badge

Re: Softening us up, surely

Not clearly a "sneaky trick" although many of those now outraged by the current data collections will be in a great hurry to restore them after a future terrorist attack on US soil.

1
4
tom dial
Bronze badge

So the President did not ask for an extension. This might well indicate that the telephone metadata database was not thought all that important and was not used extensively - as the documents Snowden released illegally and those the government later declassified and released actually show. It kind of looks at present as if the sundowned parts of the ill-begotten USA PATRIOT act will expire on schedule, possibly to be replaced later by modified versions.

However, if there is another significant terrorist attack in the US the NSA, CIA, FBI and possibly others will be blamed for not detecting and preventing it. And we surely can expect calls for increased surveillance and condemnation of those who failed to vote to continue the extensive data collection will accompany the ensuing panic, as it did in 2001.

10
1

What are cellphone networks blabbing about you to the Feds? A US senator wants to know

tom dial
Bronze badge

"[Sen. Markey] is also asking carriers to disclose when they first handed over encryption keys to government agencies, allowing the g-men to decrypt subscribers' private phone calls."

Has he not heard of the Communications Assistance for Law Enforcement Act (CALEA), passed in 1994? He should see 47 USC 1002 and related material, then consider whether it is necessary for the carriers to turn over encryption keys that they may have. This question is a bit like asking someone whether he still beats his wife.

0
0
tom dial
Bronze badge

Re: Faraday cages?

http://disklabs.com/products/faraday-bags

0
0

Andreessen tips spare change into sensor startup Samsara

tom dial
Bronze badge

What could possibly go wrong?

Samsara "wants to combine 'plug-and-play sensors, wireless connectivity, and rich cloud-hosted software, all tightly-integrated for simple deployment'”.

The article notes earlier that sensors are pretty much commodity items, but would need configuring. I will be sticking to those, or at least ones that don't need to be connected to anything not on my premises in order to work.

0
0

Man sues Uber for a BEEELLION dollars over alleged theft of concept

tom dial
Bronze badge

Sanity check

1. Halpern created the Uber business model and founded Celluride in 2003, some four years before the iPhone was released.

2. In 2006, after three years doing nothing (?) with the idea, he let it slip to Trevor Kalanick.

3. In 2009 Kalanick and Garrett Camp started Uber, Halpern having spent another three years doing nothing significant with "his" idea.

Halpern's suit probably is due for a quick and unfortunate end unless he has signed documents from Kalnick acknowledging his precedence. If he is lucky, his lawyer hired on for a contingent fee and the risk of court censure for wasting a judge's time.

1
1
tom dial
Bronze badge

Re: Just another patent troll

Too lazy to search out and read the complaint, and don't want to wast the time to watch the Youtube flic. Is there a patent here (the article didn't say so) or is Halpern simply an idiot who found a lawyer to take on a contingent fee lawsuit figuring that 40% of a $1B with a probability of approximately zero might be worth a few hours and a filing fee to get a mention or two in the press?

1
1

Legal eagles want dirt on Google's 'right to be forgotten' decisions

tom dial
Bronze badge

This type of request might incline Google and other search engine operators rarely mentioned to rething their policies and change them to something along the lines of "we accept and act upon legal orders from courts with appropriate jurisdiction to delist specific URLs from presentation in those jurisdictions."

5
0

'Right to be forgotten' festers as ICO and Google come to blows

tom dial
Bronze badge

Re: Is this the correct approach?

If a "Right To Be Forgotten" were implemented this correct way, the judges, legislators, and ultimately the bureaucrats charged to enforce the rules would be seen to be the censorious meddlers they actually are.

2
0

Home routers co-opted into self-sustaining DDoS botnet

tom dial
Bronze badge

If you failed to follow the manufacturer's advice about changing the default password, it is not the manufacturer's fault.

If you turned it on with external or wifi admin access enabled, irrespective of whether you changed the password, it is not the manufacturer's fault unless they shipped it with those options, and then only if they failed to provide reasonable password changing advice.

If the manufacturer shipped with external/wifi administration enabled, and failed to provide clear (US eighth grade level) instructions for changing the default password and administrative configuration, there probably is a reasonable case.

The last time I did it, installing alternative firmware is a seriously nontrivial operation for most home consumers.

2
0

Page:

Forums