Sounds suspiciously like the government wants some to make some 'evidence based' policies and has asked some nice people to manufacture the evidence for them so they can pass said policies.
90 posts • joined 3 Feb 2011
Re: potentially 440 Years? for that?
I'm afraid you're reading the headline and assuming it's true.
1) This is not just for scanning sites - 14000 brute force attempts to guess passwords is not 'scanning'. If the headline doesn't match the actual story, that should be a small clue about the integrity of the story and/or headline.
2) Most journalists have almost no clue how the courts work, but do know that inflated numbers draw people in, so they find the maximum sentence for each offence and add them all up, conveniently forgetting that sentences can run concurrently rather than consecutively and that judges have discretion when sentencing (most of the time, though there are some minimum terms that must be applied to some crimes in some states, etc.).
S-channel is a security library. Windows versions are kernel rewrites and UI updates (appallingly ham-fisted ones in the case of W8). Why would a kernel rewrite require you to re-write all the supporting libraries?
Re: Don't do shit that gets you in a database... and ...
So, in a case of mistaken identity, you get arrested for something that you didn't do (let's say kidnapping children, because we all love to think of the children). You're innocent but children went missing so your name is everywhere because the media loves a good story. You're released without charge but, deary me, your name is now associated with kidnapping children whenever we search for you. Sure there'll be links to you being released without charge, but they're waaay down that search listing because that's not really very interesting compared to you being a child abductor so ranking algorithms will do their thing on the original story. Result 1 in every search: OmgTheyLetMePostInTheUK arrested for child abduction.
But that's ok, because we have a right to know about your "mis-doings". I mean, if you didn't do things that got your name into the news or into a database, then you wouldn't have had to worry about having your name show up in a google search. It's that simple.
I should point out that I'm against making google or any search engine filter out results - I think that's better tackled by the websites hosting the content - but your contention that because someone was caught up in something automatically means that they did it and it should be linked to them forever is somewhat facile.
No compelling argument?
How about some vague hope that they can be held accountable for its security and preventing various three letter agencies (let's just call them the USA) from grabbing all the data, without a warrant, because it's held by a company whose cleaner's sister's ex-boyfriend's dog's fleas once set foot on USA soil?
Re: There's that throwaway line again
Indeed, it's amazing how many companies will tell you how seriously they take the security of your information after it's been compromised. I expect they'll be "putting procedures in place to ensure that this can never happen again".
Funnily enough, I expect companies that do take the security of my information seriously to have procedures in place already so that such breaches don't actually occur...
Make your mind up
"..., because HTTPS will encrypt all the traffic between web browser and server. Someone will still be able to snoop on all your metadata..."
"Ironically, the Junkee.com essay penned by Australian Greens Senator Scott Ludlam, in which he makes a stirring call to #StopDataRetention, was transmitted in the clear. The site Ludlam used to publish his views on security has taken no steps to protect its users from metadata gathering."
If HTTPS won't prevent metadata gathering why point out that Junkee.com is using HTTP?
Re: My goodness!
I've not been downvoting your comments, though I've just downvoted your whining about being downvoted.
This isn't Facebook, The Reg has managed to do what Zuck's mighty engineers can't do and have both "like" and "dislike" buttons. People disagree with you sometimes and they let you know.
Complaining like a child when people disagree with you makes you look like, well, a child complaining that people are disagreeing with them. Also, calling people who disagree with your comments "corporate shills" is heading down the road to Eadon-ville...
Re: Freetard redux?
Good luck proving the deliberately. They wrote a driver that works on their chips.
Some other people made chips that do what the FTDI chips do and decided to use FTDI's VID/PID to avoid writing their own driver. Unfortunately, they don't react the same way to FTDI's driver as FTDI's chips to, resulting in their PID being set to 0.
Cue management saying "We didn't pick this up in our testing, but then we wouldn't because we only tested with our chips..." or "We accidentally left in some test code when shipping the new drivers, normal QA didn't pick this issue up because..." etc.
Re: Other search engines?
So you seem to be saying that matters of public record should not be publicly available? Or they should be findable but not searchable? How is this in any way logical?
We're debating the merits of the system and who should be responsible for the data in question. You appear to be suggesting that irrelevant data should be available on the web but not searchable. If it is irrelevant, ask to have it removed from the web and it will, you know, fall off the search database too.
There's also the question of how deeply they have to filter their results. For example, can they link to an index page that links to the article? It may have links to other relevant (and unfiltered) articles too.
The implementation seems to be clumsy and removal of the data from the offending site seems more logical than asking that a link to that site be removed from search results. Removal at source, use of robots.txt, etc. would seem to be more logical than asking the search providers to judge whether a request is valid then remove those links from their index (or, more likely, hide it from users in certain countries).
Re: Other search engines? @Raumkraut
Er no they don't. Really, they don't. The people who are maintaining the sites where the articles reside bear the responsibility to keep those articles accurate and relevant.
A search engine (the clue as to what it does is in the name) should search all the articles it knows about and return results, preferably ranking these results based on their level of match to the search term.
If someone has an issue with something in an article on the web they should get the article corrected at source or taken down if necessary. That way the correct/relevant information is available to everyone, regardless of which search engine they use.
without first seeking consent
I'd rather they actually obtained consent from a judge. RIPA seems to require them only to ask a senior police officer for consent, which is not really the level of checks and balances I'd expect when they're going to be rifling through people's communications records.
And how lax was security at the airport that they stored and then redistributed an unattended bag to a random member of the public without checking it first? It's almost like all those "unattended bags will be destroyed" warnings are nothing more than security theatre...
Re: If you don't want any naked pix
Not wishing to pop your anti-Apple bubble, but you do actually need to set that sync up. I know, because I have such a device and have not configured the sync process. In fact, I checked all the settings and they were off by default so I didn't have to opt out either.
More facts, less mindless bleating please.
From what I can tell it is opt-in. You have to enter your iCloud credentials in the settings section then configure it to sync your photos, then go to the photos/camera app settings and select the option to upload your photos to iCloud as well.
This shows me you should probably investigate what you're talking about rather than making assumptions. Using the famous man-in-the-pub-said ("As several above have said...") as a source doesn't make what they said facts; a little research (it's really not that hard - try Apple's website) goes a long way.
Re: Martin Gregorie Anon Cluetard Boston Marathon Bombing
If it's aimed at tracking groups, surely they know who these groups are? If so, then how about they get a warrant and target their snooping. If not, then how the hell do they "prevent" and "disrupt" these groups' communications by monitoring everyone? How much noise are they collecting? How the hell do they work out which pattern of calls is me calling my friend with a joke and him sharing it with his friends and me calling my terrorist contacts to get them to call their bomb-making buddies and arrange a car bombing spree?
You're effectively asking an ISP to breach their contract to an end user based on Twitter's request because someone reported to Twitter that they received a tweet they didn't like.
I think you'll find that the "over-stretched police force" would still need to be involved, given that you don't usually punish someone for something unless you can prove they did it. Something to do with the rule of law and due process.
Re: To summarize....
If you watch Adult Video rather than playing with the real thing you're less likely to get a virus?
Re: JimmyPage : they can suspect all they want
So they can look at the randomn data generated by Truecrypt to fill the empty space when the volume was created and tell the difference between that and the random-looking data generated by encrypting a file and writing it amongst that random data?
That's one hell of an expert you have there.
With respect, that sounds like a piece of Star Trek "insert technical stuff here" script. You've used a technical phrase and followed it with your required conclusion but it is, in non-geek parlance, utter bollocks.
Re: One can only presume...
Your argument is so flawed it's hardly worth rebutting, but here goes:
1) It's not currently illegal to avoid taxes in the ways that many companies do.
2) Making it illegal at some future point in time does not make it illegal now. You can claim it does as much as you want, but it simply doesn't (short of an ex post facto law, which are thankfully not possible in some countries and are normally frowned upon because it requires some really special powers to know whether you're currently breaking a yet-to-be-created law).
"Why are these companies not being brought to book ?"
In most countries you don't bring people to book for not breaking the law.
In your road speed limit analogy, noone is saying that you could now argue that there used to be no speed limit but now there is, so I'll ignore the limit. What they are saying is that currently there is no speed limit. Introducing a speed limit does not make past driving at above the now legal limit magically illegal, but it does make continued driving at such speeds illegal.
Arguing what they are doing now is legal is not "dodging and fudging the issue". If it's not illegal, it's legal. End of story. Anything else leads to chaos.
Re: I am going to take an unpopular side here.
I'm confused. You seem to be saying that I can purchase a CD and resell that but I can't do the same with digital downloads because I might keep a copy somewhere. Has it occurred to you that I can rip the CD then resell it? Or do you trust me not to do this, in which case why can't you trust me to delete any copies I have made of my digital downloads when I resell them?
Re: Good or bad comments.
No, your 1st amendment rights are not being curtailed - the right to free speech does not mean you can freely write whatever you want wherever you want and that noone can prevent you from doing so. It merely gives you the right to say what you wish (within certain limits).
A rating system, whereby negative comments are relegated to a less visible area of the comment stream, does not prevent you from saying what you wish to say. Next you'll be telling me that, because older comments are less visible on comment streams that are ordered by date, with the newer comments shown more prominently, this is also curtailing your right to free speech because you commented first and now people have to scroll all the way down to see what you said.
In fact, as I understand it, freedom of speech provisions in the first amendment extend solely to what the government can't do to curtail your speech. Facebook is not government so they can, in fact, do what they wish with the comments. If you don't like that, don't use Facebook.
DNA or HTTP headers are not "data relative to those accounts". HTTP headers may be classified as data relative to the processing of the transaction, but the "accounts" in question are the VISA card details.
I think you'll find that "data relative to those accounts" is legal speak for cardnumber, CVC, expiry date, etc. - the data required to actually perform a transaction against the card in question. Section 18 of their complaint effectively lays out what this data is (the mag stripe data). They claim that such data may be retained unencrypted for the duration of the authorisation; this may be true, but my understanding (having had to do this kind of thing) is that you may briefly store such data in memory (pretty much unavoidable given that computers are involved), but it is preferable that this be done encrypted until such time as the unencrypted data is required, i.e. you decrypt just as you're generating the request and sending it to the bank. Logging any of it, unencrypted, is a no-no.
Section 54 of the complaint states that the log files would have been overwritten before they could have been exfiltrated, so no "data relative to those accounts" could have been compromised via the logs. This kind of suggests that some account data was being logged - why would you bother mentioning that you were storing data unrelated to the complaint in a log file in a motion to have your money returned? The only useful data in this context is card numbers, expiry dates, etc. I may be reading between the lines, but it seems a reasonable assumption to me.
Part of their defence (from the linked Wired article) appears to be that because of regular server reboots the card numbers in their server log files would have been overwritten before the hackers got to it (though what a packet sniffer is doing reading log files is not stated). Persisting unencrypted card data to log files is very much a PCI DSS violation and shows a level of incompetence I can't begin to understand.
All that being said, if VISA can't prove that any fraud was carried out using the cards that may have been compromised during the breach then they really shouldn't be gathering fines. I know that absence of evidence of fraud isn't evidence of absence, but legally it almost certainly is so the fines levied sound to be in serious danger of being overturned, assuming that the rules outlined in the Wired article are those that should apply in this scenario (more than 10,000 cards breached, PCI violation leading to the breach, more fraud than normal occurred on the cards in question).
Re: ... and yet...
"I don't think google are getting off too lightly here"
Fine for breaking the law: $7m
Performance bonuses for last year:
Eric Schmidt: $6m
David Drummond (their head legal person): $3m
Patrick Pichette (CFO): $2.8m
Nikesh Arora (CBO): $2.8m
Yeah, that fine is really going to hurt them...
In November last year, the House of Commons Justice Select Committee blasted the directive. It said that while data protection law in the EU needed a shakeup some of the plans "
do not allow for flexibility or discretion for businesses or other organisations which hold personal data, or for data protection authoritiesdo not allow us to incorporate the reforms in such a way that we can still choose to ignore them and do whatever we want with the data we and our business friends are accumulating".
"He also states that a warrant is required “to access the content of a communication”." Personally I'd rather a warrant were required before you start even monitoring my communications.
I thought I was supposed to have some sort of human rights, something about the right to private life without unncessary state interference? In fact, I'm pretty sure this convtravenes article 12 of the universal declaration of human rights:
"No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks."
Recording the fact that I'm communicating with people/servers/whatever (even being generous and assuming they don't do a Google and "accidentally" store everything I send rather than just the metadata) without a valid reason sounds like arbitrary intereference with my privacy to me.
Re: " I seriously doubt Balmer will be hauled into court..."
The big difference is the accessability of your data. Upload to dropbox and only you and people you allow access can see it. Upload a video to
Megaupload video YouTube and everyone could watch it.
Mind telling me why YouTube hasn't been taken down yet?
Re: Superior cookie handling?
What is this superior cookie handling of which you speak? I've used FF for years but I'm also aware that IE has had the ability to block/allow cookies per site for yonks. In fact, IIRC FF started out without this feature, which IE had for some time before FF finally adopted it.
Can't comment on Chrome as I never use it.
Re: Mixed blessing
How about having a paper copy of a manual so I don't have to lug my computer into the garden when I'm trying to set up the timings on my sprinkler system (or keep swapping between the program I'm running and its oh-so-helpful pdf manual)?
Yes, I know I could get a tablet device of some description or a second monitor, but paper seems to be a low-cost alternative that works in both cases. Or do I just not understand technology?
Re: Bad Hersfeld! Bad Hersfeld!
> Nein Nein Nein!
Emergency services, how may I help you?
I think you'll find that nuclear should be on that green grid too, as should hydro. Both are clean; nuclear has waste issues which need addressing and hydro can have environmental issues, but other than that they are pretty much clean and green from the "carbon price" (remember, it's not a tax!) perspective.
The obvious thing for Australia to do is go nuclear and solar, use hydro where feasible, and tidal if it becomes viable (most major urban areas are fairly close to the coast). We're actually pretty well suited to going "green" for our energy needs, we just need to bite the bullet and build some nuclear plants.
From my reading on <a href="http://www.popehat.com/2013/02/06/the-popehat-signal-help-an-author-against-a-bogus-trademark-claim/">Popehat</a>, it looks like the EFF said "no". They're appealing for pro bono assistance (and have had a few replies) but they may start a fund if required.
Re: Two sided sword
Then they are guilty of libel/defamation and can be pursued as such, should either my wife or I choose to do so. Part of that process would be a request to have the offending tweet removed, but quite frankly I couldn't care less what some random person tweets about my wife's extra curricular activities because I actually trust her.
To turn your example on its head, what if those tweets weren't false? Does my wife have the right to request that factual tweets be taken down? We can both lie and say they're untrue, even if they're not. How is the service provider supposed to determine what is true and what is not?
If you want to protect speech, you have to deal with speech you would rather wasn't said but still needs to be protected regardless. There are limits, I agree, and where such speech crosses those lines it needs to be dealt with. However, the proper place for such arguments over what is illegal is in the courts. I do not believe that service providers should have to interpret laws (over many jurisdictions) to determine whether people using their services are breaking those laws. That's what judges/magistrates are for.
In what way is Twitter "responsible for much of the damage caused online"? The government may well want Twitter to allow users only to post about flowers, rainbows, and fluffy kittens but in the real world people have free will and their own causes to pursue. If, in the course of their pursuit, they break any laws, then by all means punish them using the same process as used for everyone else who breaks the law.
I really don't think that a government approved programme for the speedy removal of stuff that offends
the government Australian minor celebs citizens is the way forward. If someone does something that is illegal, prosecute them - that's what the law is for. Speech can be offensive without being illegal and noone has the right not to be offended by speech.
Blame the users, not the carriers.
Re: Do no evil
"...proscribed standards...". That word, I do not think it means what you think it means.
I am missing something here? Every virtual keyboard I've seen jumbles up the keys so knowing where the mouse was when I clicked is completely pointless since you still have no idea which key I clicked on.
I'm with the first AC on this too - which ad companies are using this? It's not something you can do accidentally (unless it's google, when of course it's just a rogue engineer leaving proof of concept code in the project and they're accidentally storing all that mouse location data unwittingly, the poor dears).
Re: Fiscal cliff is not an actual cliff......
I'm not American but I was under the impression that actual debating and proposing laws, etc. was the work of Congress. The president has the power of veto over whatever comes out of Congress, but the (hopelessly divided along party lines) Congress is the place where the real action happens.
Blame the senate and reps for the impasse. If they'd start thinking of the country and stop being so bloody partisan some actual progress might be possible.
As for "paying their true share", the fact that > 50% are not paying taxes (assuming that is true) should be ringing alarm bells - the most powerful nation on the planet appears to be failing > 50% of its population by paying them so little for the work that they do that they need state subsidy to survive. Proposing to tax these people, who are earning so little that they actually need state assistance in the first place, is a pointless exercise. Far better would be to improve their standards of pay so that they can survive without state assistance and can actually contribute to the state via taxes themselves. It may mean some businesses earning less profit, but it would increase the number of people with disposable income who will, presumably, go and dispose of this income by buying things.
Re: What I don't get is...
Because "think of the children" is so compelling. It's a battle cry that is used for both good and bad causes. I get equally annoyed when the news runs a story that, e.g. 3 children were killed. Oh, and 10 other people too.
From what I can see so far, Kim's intention is to make money from people by offering a secure, cloud-hosted, file storage service. Your suspicion that he's creating this as a place for illegal content is not based in fact and, sad to say, the law does actually require facts to prove a case.
Kim can easily point out that he has no knowledge of what data is stored on his service (nor should he know) and that it has substantial non-infringing uses. As long as he cooperates with any legal requests by law enforcement agencies (though what he could do is questionable if all content is encrypted and he doesn't have access to any means to decrypt the data), he's in the clear.
"...it's not likely to be particularly difficult to prove beyond reasonable doubt that the new site's admins know that it's being used for illegal purposes." Really? If every file is encrypted, how can this be proven? Using your logic you could argue that google knows that YouTube is being used for illegal purposes and thus should be in the dock beside Kim.
There's nothing to stop the user passing the key in the URL, I guess, except it seems a somewhat insecure method of transmitting your key. Encryption only works when your key is secret, if you're broadcasting it to the world every time you request a file then why bother encrypting at all? The server definitely doesn't want to be seeing the key (they don't want to be able to decrypt your data) and I can't see why the client would be built to look for the key in the URL - transmitting the location of encrypted data and the means to decrypt it in the same message would be a massive security hole and would remove any hope of getting "serious" businesses to use your solution.
The way they've phrased the encryption/decryption side of things, it appears to be entirely client-side. There's no reason to post the key to the server if all encryption is done prior to submitting to the server and all decryption is done as the file is received. Again, I'm assuming that security and/or limiting liability is their concern here - they don't want to be taken down like last time and not knowing what you're hosting is probably a good starting point.
Given that the first screen is a logon screen, I'd guess that the field with the key icon is your password. Why you think that this refers to an encrytpion key is beyond me, especially since the key isn't actually generated until a later stage. It even looks like a password field, with the password starred out.
The key generation being strengthened by "entropy from your mouse movements and keystroke timings" is just a variation on a theme, where some additional inputs are used to add randomness to the key being generated, e.g. TrueCrypt does something similar.
Note that they state that "You hold the keys to what you store in the cloud, not us". This suggests to me that the encryption key for the files is stored by the user, a move designed to prevent third parties accusing them of knowlingly infringing copyright? If they are storing encrypted data only and have no way of decrypting that data to find out what it is, they really can argue that they are not liable for the content they host since they cannot even view that content. Some would say that this is a sensible move, not only in a self-preservation sense (they really don't know what the user is uploading so they can't be held liable for it) but also because it should, if implemented correctly, ensure some degree of security for the end-user's data - even if someone manages to get access to the servers where the data is stored, all they get is a load of encrypted data.
One question that springs to mind is: If all the data is encrypted and the key is stored at the user's end, how is this going to replicate the success of megaupload? You can no longer just upload a file and post the URL, you now also have to post the key so other users can decrypt the data. It's not a huge extra burden, but it's one more hoop to jump through and may discourage the less technical users from using the site unless they make it really easy to use. There are some hints that you'll be able to share files and folders with other users, but part of the success of megaupload was that you didn't need an account to download stuff.
It'll be interesting to see how this all pans out and whether this is a real change of direction from the original megaupload. It certainly sounds like they're moving from a free-for-all file hosting model to more of an encrypted file system approach with access to the service limited to registered users only but I guess time will tell.
If by "deteriorated" you mean "allows people to register trademarks" then it's been this "broken" for quite some time...
There are many examples of marks that have been registered that are simple shapes. The point is that these shapes, after much use, become an identifying feature in their own right and become a symbol that people recognise and (if you're lucky) trust. The way you protect these marks is to register them, thus preventing other people from abusing the recognition and value you have built up by using the mark on their own products.
This really isn't that sinister. If anything, you'd have to be asking why they've registered this mark now. Could it be that there is a new product line on the way?
Re: Intellectual property = vested interests = corruption
It's a trademark, so it is *very* different from a patent. A patent can be used to prevent you from making something using the patented method, a trademark simply prevents you from selling something bearing the mark in the same industries for which it was registered. Pretty much the only reason to abuse a trademark is to pass off your goods as being made by the holder of the mark.
Conflating trademarks and patents? Do you actually understand the difference or did you just want to moan about patents and saw it was an Apple thread?
Re: As many people have said here many times
I don't care how much tax any firm pays, nor where it is based - no firm should never have heavy influence in legislation via lobbying. Governments should (I'm not saying that they always do) pass legislation based on what is good for the country and its people; companies invariably want to have legislation that is good for them.
Re: Well, obviously . . .
So any denial is confirmation of intent to do what is denied? Do you work for the Spanish Inquisition by any chance?
Re: I recall....
Apple are now busy applying for a patent for "Transmitting kinetic energy into a (male) legal scholar's gonads as a way of signalling extreme disagreement with the activities of the recipient of the energy transmission using a mobile device."
Re: Patent abuse
What "attack" is happening in this case? Samsung agreed payments terms for licenses for the patents in 2001 and 2007 and is now refusing to pay, despite others being offered and accepting the same terms offered to Samsung.
IANAL but I really don't think import bans for FRAND patents should be allowed unless it is the absolute final option to force a settlement. After all, if you're forced to license a patent then any loss you suffer by someone using but not licensing that patent can be made good by fines. Import bans are supposed to be a weapon to prevent irreparable harm and if you have to license something then the only loss you suffer is financial and is thus not irreparable.
Ericsson has tried to negotiate terms for almost 2 years and still can't reach agreement. I'd say that 2 years is a reasonable show of good faith negotiating and it's time for Samsung to have some legal pressure applied.
Re: it's all about the device and how it manages certain interactions
They could indeed change how it works, but then it would no longer be covered by the patent in question, assuming the patent is valid in the first place.
I'm not saying I agree with the patent, or the case, or that I even like Apple. All I'm saying is that the patent appears to be related to a portable device used to manage photos and goes into some detail about how certain elements of such management would be implemented, taking into account the screen size and other limitations presented by working on a mobile device as opposed to a workstation. It appears that the contention is that Samsung has used one or more of the methods described in the patent.
IANAL and to me it does seem that what Apple has done is attempt to gain a sort of software patent by describing methods of operation on a physical device that would obvioulsy be implemented in software. Whether that is valid is for the courts to decide and, if it is invalid, then I hope Samsung's lawyers will pursue that argument strongly. Not being a lawyer, I'm not sure where the distinction between describing a method for doing something that requires software and an actual software patent is drawn.
A more interesting point to me is how do you protect a novel way of handling interactions on a device? You seem to be saying that software is just, well, software so it's fine if someone takes my novel approach and just uses it without any reward for my work in coming up with said approach?
Re: Good to Hear..
At the risk of suffering death by a thousand downvotes, I'm failing to see where the article is "small-minded, bigoted, and practically condoned domestic abuse". The article relates the facts of the story (albeit in El Reg language) and doesn't seem to suggest anywhere that violence is acceptable, nor offer any view on the rights or wrongs of transgender issues.
I can see that Jan doesn't come across as all that enlightened but calling the article bigoted seems a massive overreaction.