* Posts by tom dial

1896 posts • joined 16 Jan 2011

Equifax's disastrous Struts patching blunder: THOUSANDS of other orgs did it too

tom dial
Silver badge

This is a management problem. Few managements have the stones to suppress deviant programmers and refuse permission to use the "latest and greatest" frameworks and languages (and to stomp them out ruthlessly when they show their faces). Even fewer, I suspect, have a clear conception of how the IT portfolio should be defined and managed.

2
0

You've been baffled by its smart thermostat. Now strap in for Nest's IoT doorbell, alarm gear

tom dial
Silver badge

Wireless security

These two words taken together describe a null concept.

Nothing electrical, let alone wireless, will grant access to my home, ever. That depends on massy mechanical thingies with physical keys.

Mossback that I am, I also do not understand the need some perceive to control from a distance these things, as well of thermostats, light switches, and other things I use in the house and only when I am in the house.

10
0

DRM now a formal Web recommendation after protest vote fails

tom dial
Silver badge

Re: Elephant in the room

A citation would be informative.

0
0
tom dial
Silver badge

Re: Can it be turned off?

"What's gonna stop them?"

In the US, the first amendment lawyers and their clients who will bring lawsuits in federal court and probably win. It might work differently in the EU and other places where the government's authority extends to censorship.

0
0
tom dial
Silver badge

Re: Oh really?

Circumventing DRM may be a criminal offense. That is a problem with laws such as DMCA in the US. The incentive to apply DRM is a result of copyright law and exacerbated by its grant (in the US) of practically unlimited duration as against the much more limited grant probably envisioned in the US Constitution and implemented in early copyright law.

The blame belongs with the governments that authorize it, not the organizations that establish technical standards and the businesses that implement the standards or use the implemented DRM to protect their copyrighted material. Going after the standards organizations and the DRM developers and users is misplaced and diverts activity from the appropriate target.

The choice is not whether there will be DRM, but how many implementations there will be and how long it will be usable by copyright holders. The real question is whether copyright law distributes benefits justly among the creators and consumers of copyrightable material. That is not something for the W3C but for the governments that enact copyright laws.

1
0

Google parks old pay-to-play auction in front of European Commission – reports

tom dial
Silver badge

Re: Competing is Anti-Competative?

Google manifestly is not the only game in town. It may be the only game in town that people actually care to use, but that is a very different matter.

3
2

DoJ: Look! Google is giving up overseas data for warrants outside Second Circuit

tom dial
Silver badge

Re: Laws stop at the border.

I have not read the Second Circuit decision, the district court decision, or any of the related briefs, and am not a lawyer anyhow. From secondary sources, however, including the Register, it is my understanding that the US government's position is that because Microsoft, a US based corporation, owned (through an Irish subsidiary) the Irish data center where the data in question was stored, and Microsoft operated that data center from the US, it was a proper target for the search warrant. That argument carried the day with the district court, but that decision was overturned in the Second Circuit court of appeal. As the current article points out, they have had substantial success with similar arguments in other circuits, to the point where it appears Google may largely have given up on opposition, perhaps to file amicus briefs in a future Supreme Court case. However, I am not aware of any claim by the DoJ that they intended US law enforcement authority to extend, in general, to other foreign countries.

It is possible that the officials who sought the warrant in the first place were working the US court system to expedite access to the data they sought rather than use the lengthier and more involved process defined in MLA treaties. That may offend some, and it is not unreasonable to oppose it. The Supreme Court does not yet seem to have accepted the DoJ appeal, but in view of the different outcomes in other circuits it seems reasonable that they will eventually, and the resulting decision will settle the issue.

0
0
tom dial
Silver badge

"the government’s ability to use warrants to obtain communications abroad now depends on the 'jurisdiction and the identity of the provider'".

It does not depend on the identity of the provider and never did. It now depends on the jurisdiction, it did as soon as the Second District Circuit issued its decision, and it will do so until the Supreme Court rules on an appeal. Courts in a circuit are not required to follow decisions in any other circuit, although they may take not if them - either supporting or not - in deciding cases. The same is true for courts of appeal. The notion that DoJ is trying to influence the Supreme court by the statement quoted, apparently in a brief in a circuit other than the Second, is absurd, although it may be trying to influence a district court to avoid the messiness associated with another appeal in a different circuit.

My own preference would be for the DoJ to use mutual legal assistance treaties where they exist, and in particular in the Microsoft case in Ireland. However, it is fairly clear that there is more complexity to the issue than is commonly noted in public discussion. Orin Kerr has discussed some of this in a number of Washington Post articles. It also is clear that under some simple rules that may seem desirable on their face it would be possible to set up a business in the US to operate servers in a foreign country in such a way that the US owners and operators would be immune from these warrants (because the data are stored outside the US) and the country where they are stored has no capability to produce the stored data (for instance, because nobody in their jurisdiction has access to a necessary decryption key). Some certainly would find that desirable, but it is not clearly good public policy to give such aid and comfort to criminals and others for whom law enforcement officials can justify search warrants.

0
0

Equifax mega-breach: Security bod flags header config conflict

tom dial
Silver badge

A number of the better - i. e., more capable and accomplished - systems analysts and programmers I have known over the last 4 decades or more had degrees in music, and several others were fairly accomplished amateur musicians. My understanding is that this is a relatively well known and documented correlation. I also have known a number of excellent programmers whose organizational management skills were on a par with my 4-1/2 year old granddaughter. The implicit suggestion that hiring someone with a music degree to a CSO job was out of line for that reason is unwarranted and very possibly incorrect.

2
0
tom dial
Silver badge

Re: I can confirm the e-mail address breach.

The vulnerability appears from the list of affected versions published elsewhere to have been relatively old, certainly a good deal older than the March 7, 2017 date on which the patch was released.

Although it is not essential, it would be interesting to know for each of these exactly when these confirming events occurred. The earliest date might provide some information about when the vulnerability was known to criminals, as against others who pay attention to release and patch notifications and vulnerability database updates. Assuming Equifax is being truthful about when the breach occurred (certainly not a given) it might also speak to whether other vulnerabilities were being exploited, as the first poster reports them saying.

0
0

Big Tech fumes over Prez Trump's decision to deport a million kids

tom dial
Silver badge

Re: @Tom Dial ... ...because we are a nation of laws

The checks and balances are there, but for going on a century or more the Congress has declined increasingly to enforce them, instead passing laws that deliver a lot of what most would consider legislation to executive branch departments and agencies. They pretend to oversee them but really cannot do so effectively.

There is no question that "immigrants" have, collectively, been to the good, whether or not "legal" at their time of immigration. The question of legality is, to a large degree, a result of legislative choices made at particular times and generally carried forward for years or decades beyond any justification cited for their enactment.

Moreover, immigrants' descendants have been more important than the far less numerous immigrants, something the advocates for "dreamers" and permissive immigration for the educated and already-accomplished (or the rich who can buy green cards for a half million dollars or so) usually overlook. One key attribute of immigrants, whether or not "legal" is their initiative and willingness to accept the substantial risk of failure that goes with moving to a new place, often enough with a different primary language and different customs. Not all of them succeeded, but quite a few did, for a reasonable definition of success. Their children and later descendants have done so even more, and there is no reason to think that won't be true of the current group of immigrants - again, whether or not "legal." The primary "victims" of illegal immigration, in fact, are the applicants who played by the rules and waited in the queue for their chance.

1
0
tom dial
Silver badge

Re: ...because we are a nation of laws

Indeed so. Enacting immigration law, like enacting all laws, is the job of the Congress, although in the case of immigration law it is one they have failed at pretty miserably for a good long time.

There is no genuine question that immigrants, on balance, have been bad for the country. It is fairly obvious (except, of course, fto those whose ancestors arrived from Asia 100 centuries or so earlier) that they have much improved the country since before it was one.

There is a basis, however, to argue that the US Presidency has got far to big for our collective good, and that, too, we may lay at the feet of Congress. President Obama's DAPA and DACA exercises are small compared to the five major several minor military actions since the end of WW II, not a single one declared a war by the Congress as required by Article I, Section VIII. It is time for it to end.

Obama, lauded though he was for it, did the unauthorized immigrants no favor by compiling the DAPA and DACA lists of those now possibly subject to deportation based on the current president's recission of his overweening executive orders. His only excuse may be that, like nearly everyone else, he though Hillary was a shoo-in.

6
15

NSA ramps up PR campaign to keep its mass spying powers

tom dial
Silver badge

Re: This is of course just an extra...

It is quite correct to say the job of the police is to stop terrorists. It is incorrect to say, as the post invites one to infer, that the only job of the NSA is to stop terrorists. If the NSA actually says that, it is their error, and it certainly is their error that they overstate it (or remain silent while others do) by several orders of magnitude.

The NSA and its predecessor agencies have been around for well over 75 years, during most of which the threat of terrorism as now understood was pretty much nonexistent. Intelligence and counterintelligence go far beyond "terrorism" and FISA covers far more than terrorism detection, including intelligence collection on all foreign governments that the US cares about, whether friendly or not, and counterintelligence collection such as, what caught Flynn out (but probably not Sessions, whose meetings with Russians were largely face to face).

0
0
tom dial
Silver badge

Re: Denounce them all

One might look at the fraction of the population incarcerated, or worse, for "crimes" that consist essentially of expressing opinions against the government such as, for instance, those expressed in the overwhelming majority of the comments to this article.

0
1
tom dial
Silver badge

Re: You only need to remember one thing...

The NSA developed exploits based on software and hardware vulnerabilities for purposes within the scope of their legally defined mission. Others obtained some of the exploit code and used it in their software, developed for other purposes. While NSA surely bears some responsibility, in that they apparently did not disclose the vulnerabilities to manufacturers until after theft of their exploit code, it is a stretch to assign them direct responsibility for developing and deploying programs that they did not, in fact, develop or deploy.

1
11

Judge orders handover of Trump protest website records – DreamHost claims victory

tom dial
Silver badge

Re: The problem is a disenchantment or disillusionment with the powers in authority

The problem is more complicated than "the government is not seen as acting morally or ethically" or "political authority has lost its moral mandate." Those are results more than causes.

"The government" has been oversold as "runner of the country" (or sometimes economy) which, in the case of any country with a legal market economy, which is to say one much to the "right" of North Korea, is ludicrously false. As a result, when things go wrong, as inevitably will happen, the government is constrained to accept a portion of the responsibility and blame, maybe a large one. Because it comes to be seen as ineffectual, possibly a participant in what went wrong, the government loses authority, the right to issue commands within a defined scope and have them obeyed (relatively) unquestioningly.

"The government" also is portrayed, with enthusiastic support of both candidates for elected offices and civil service officials in some of the agencies the elected officials create; as the righter of wrongs, deliverer of benefits and favors, and transferrer of resources from those with substantial resources and few votes to those with many votes and few resources. The voters, like the officials, proclaim these actions to be based on rights to avoid condemnation for being little better than thieves and racketeers and to persuade themselves of their moral rectitude. Some, maybe an increasing number, see this differently and come to doubt its righteousness and question its authority.

Finally, as enforcer of the rules that deal, at bottom, with right and wrong, "the government" is in a scarcely tenable position in a country with as varied a population as the US (or, for that matter, the UK, Netherlands, Belgium, France or Germany) where the basis of right and wrong, and more particularly its detailed content, are disputed loudly, often, and sometimes violently Putting that together with the absurd notion that these questions can be decided for all by a majority vote has got us to a rather bad state of factionalism from which I do not see any likely deliverance.

But have an upvote anyway.

0
0

No, the cops can't get a search warrant to just seize all devices in sight – US appeals court

tom dial
Silver badge

Re: The blame lies with the judge who signed the warrant.

It is possible, and arguably reasonable, for sensible people to disagree over whether the principles stated in the Constitution and Bill of Rights change over time. However even those who take the position that they do not will mostly agree that as the environment in which criminal activity occurs, and the laws that establish the bounds of what constitutes criminal activity change, the case details presented to the police, prosecutors, and judges will change.

Court decisions like the one discussed here are case law, dependent on the particular details of the case at hand. Different judges will reach different conclusions from the same set of facts, as happened here, and may happen again if there is an en banc review or a Supreme Court appeal. There is no valid reason to presume that a decision overruled on appeal was necessarily wrong based on existing law and earlier precedent.

0
1
tom dial
Silver badge

Re: Wrong Solution

Wrong answer.

These changes nearly always take place at the boundary between what, in the past, has been considered clearly constitutional and clearly unconstitutional. They move the boundary a bit in one direction or the other and going forward, as decisions percolate through the system, warrant issue requirements change slightly. The claim that it does nothing to discourage police from repeating their error is one for which there is not a lot of evidence. Given the size and population of the US, it is likely to take some time, and sometimes quite a lot of time, for such a decision to applied across the entire country, especially if different circuits answer a question differently and a Supreme Court decision is required to establish a nationwide standard.

As in many human activities, there is room for gaming here, and provable collaboration among police, prosecutors, and judges to issue bad warrants should be, and perhaps sometimes is, punished. However, that is not normally true. The notion that the evidence in the instant case should be used, but that the standard nonetheless should be changed does injustice to the accused, and should not even be considered. The evidence must be suppressed and the warrant issue standard modified going forward.

5
0
tom dial
Silver badge

Re: Mess

The punishment for a faulty warrant (or lack of one where it is required), if it can be called that, is that the wrongly acquired evidence is suppressed. Conviction on other available evidence may or may not be possible.

In the current case, decided by a subset of the DC Circuit, the government might request a review by the full court, or appeal; there may yet be more on this. An interesting comment from the majority opinion was to the effect that if the police had not had a search warrant, they would not have had a problem in this case. So part of the result might be a shrinkage in the number of warrants sought, something that might be an unintended, and deleterious, side effect of the ruling.

2
1
tom dial
Silver badge

Re: Mess

The police, often or nearly always in collaboration with the prosecutors they work with regularly, use the formulas that have worked for them in the past. When a defense attorney raises questions in a slightly novel way and get a judge to agree and rule in his (or her) favor, it changes the meaning of "what worked in the past." Life goes on, and going forward the police (and prosecutors) change their approach. See Riley v. California, for example.

2
0
tom dial
Silver badge

Re: Mess

Kerr, unlike many who offer their comments to articles such as this one, is a qualified lawyer, as well as fairly well known in the particular subarea of fourth amendment and surveillance jurisprudence. In addition, he is not widely thought of as an advocate of unrestricted government search powers.

2
1

Can GCHQ order techies to work as govt snoops? Experts fear: 'Yes'

tom dial
Silver badge

Re: Who cares?

"Could" and "in practice would" are extremely likely to be far apart. I think that was the OPs main point.

In the US, the judiciary is expected to enforce restrictions like probable cause and particularity, and I expect the same is true of the UK and many other countries. Under fairly ordinary circumstances this probably works fairly well.

A major problem with this is that at times of moral panic like a major terrorist incident or attack from another country the judiciary may flinch from that duty as happened, for example, in WW II when the US and Canada interned those of Japanese origin as well as some others, many or most of them citizens of their respective countries. In the US at least, such judicial pushback as there was was spotty and ineffective, and ultimately the Supreme Court approved the internments.

0
0

Google and its terrible, horrible, no good, very bad week in full

tom dial
Silver badge

Re: "why Blacks are such fast runners?"

Yet according to some reports, those of East and South Asian ancestry are quite heavily overrepresented in US technical employment. Should we consider this to be evidence that the companies hiring them are biased against hiring white men as well, perhaps, as women?

3
0

Your top five dreadful people the Google manifesto has pulled out of the woodwork

tom dial
Silver badge

Re: asshe but

Upvoted solely for the reference to (the reference to) the "Conceptual penis as a social construct" article.

0
0

Kremlin's hackers 'wield stolen NSA exploit to spy on hotel guests in Europe, Mid East'

tom dial
Silver badge

Re: This is getting really tiresome

The lieutenants, captains, and majors learned, and some of the contemporary politicians. By 2001, some of the lieutenants, captains, and majors were senior military staff and a few were politicians. There is not a lot of evidence that as a group they were very enthusiastic about going to war. Most politicians of the mid 1970s had retired or been replaced, all too often by others whose main contact with any war was through the draft deferment letters to their local boards and whose main concerns were tightly bound to domestic issues and their reelection. In the moral panic following the September 11, 2001 terrorist attack, launching a new war with votes from the clueless was too easy, and consideration of long term strategy effectively lacking. This was aggravated by the lesson of the 1990-1991 Iraq war, in which some of the lessons of Vietnam were employed with considerable short term success.

"The US Government" does not learn lessons. Only individuals do that, and despite the high rate of incumbent reelection, the turnover is high enough that lessons learned by a particular group at a particular time decline pretty much to the vanishing point in around a generation.

As an aside: the median age in the Senate is 64, and in the House of Representatives it is 59. Both are under 70, although rather larger than the US population median age, which is about 38.

1
0

US border cops must get warrants to search phones, devices – EFF

tom dial
Silver badge

Re: Individual warrants?

Those who read the Constitution know that warrants have to be based "upon probable cause, supported by Oath or affirmation, and particularly [describe] the place to be searched, and the persons or things to be seized."

The idea of a single warrant such as described will not fly.

On the other hand, "secret" warrants are, for practical purposes, the norm in nearly all cases, and probably in nearly all countries. Notification of the target normally arrives with the warrant and is delivered immediately before a search begins.

9
0

Google's macho memo man fired, say reports

tom dial
Silver badge

Re: The facts

Thanks for this, especially the relevant references within it.

I have to say I lost all respect for Yonatan Zunger almost before knowing he existed.

0
0
tom dial
Silver badge

Re: Open discussion, oops, oppression

The employee made statements (for internal consumption within Google, as I understand it) that in some cases are well supported by research. Some people disagree with him and take offense.

Google appears to have allowed, and even encouraged such statements, then sacked him for expressing his opinion, thus proving (as a number of others have pointed out) some of his main claims.

Google is not bound by the first amendment, but their behavior, if as described, reflects much more badly on them than on their former employee.

5
0
tom dial
Silver badge

The author did not argue that the generalizations that apply to women as a population made any particular woman less able than any particular man at any particular job (other, maybe, than bearing a child). He did make statements supporting the claim that the population differences may lead to differences in particular subpopulations such as, for instance, that of Google technical employees.

3
0
tom dial
Silver badge

Re: This is not about diversity and positive discrimination

Arguing from specific cases to general statements about the population as a whole is not valid reasoning. In particular, it is entirely possible that the particular female persons mentioned were at the extreme of both male and female groups with respect to stress endurance, and at the same time, that the trait is less common among women than men.

It is, of course, equally invalid to argue from the proposition that because a desired trait is less common in a subpopulation, say of women in comparison to men, that a particular woman lacks it, or even is less likely to possess it than men.

2
0

WannaCry-slayer Marcus Hutchins 'built Kronos banking trojan' – FBI

tom dial
Silver badge

Incorrect in part. NSA hires contractors whose employees sometimes are untrustworthy, careless, and possibly clueless. In addition to Reality Leigh Winner, there also is the example of Harold Martin III, who is charged with taking home a half terabyte or so of classified program code. Neither provides a basis to disparage the code of what Martin took or that released through Shadow Brokers.

The WannaCry code, by various reports, was not well thought out including, but not limited to, the "kill switch."

1
0
tom dial
Silver badge

I expect better quality than WannaCry from my NSA.

9
8

Linux kernel hardeners Grsecurity sue open source's Bruce Perens

tom dial
Silver badge

Re: Seems fine to me

The analogy between a private contract issue and state action is badly flawed.

GRSecurity's contract does not restrict their customers' right under GPLv2 to redistribute the patches. Nothing in GPLv2 appears to require GRSecurity to distribute any patch to anyone unless they put such a requirement into their support contract. They do not, instead including a provision that terminates distribution of future patches to someone who redistributes current or prior ones. This does not limit their customers' right to do the distribution no matter how much it may influence them; it is their choice to distribute or not and to whom, just as it is GRSecuritiy's.

I also am not a lawyer, but a look at Bruce Perens' post, the Open Source Security filing, and summaries of the cases the filing cites suggests the suit may not go very far.

0
6

Big Internet balks at fresh effort to crack down on sex trafficking

tom dial
Silver badge

I also have read the bill, and it is incomprehensible without also reading the much more voluminous law that it amends. If its effect is reported here with the decent accuracy usual with The Register, it is a bit like shooting the bearer of bad news. The targeted web sites may be facilitating commerce in activities we don't like and that are harmful, but as other posters have noted are a boon to law enforcement officials in finding and shutting them down. Shutting down the web sites will not make the activities go away, or likely even interfere with them much, but will make them harder to detect and disrupt.

2
1

It took DEF CON hackers minutes to pwn these US voting machines

tom dial
Silver badge

It is "known" that vote fraud is (nearly) nonexistent primarily because there seems not to have been a diligent search for it. Suggested use cases include college students registering and voting where they attend school and also where they live when not attending school; and those who recently moved from one state to another, who might remain eligible in both states for several election cycles due to widespread sloppiness in registration list maintenance, combined with extreme resistance to efforts to compare registration lists between states. I thought about doing this the first time when I attended graduate school in Michigan while my legal residence remained in Ohio, and again when I moved from Ohio to Utah a few years ago.

Hand marked paper ballots, whether counted by hand or machine, are obviously superior to any voting machine.

1
0
tom dial
Silver badge

Re: The security of voting machines

Many, perhaps most, voting machines do produce a paper record that can, at need, be used for a recount.

Two observations may be pertinent, however. First, it is not obvious that the code could not be altered so that the information recorded in the internal memory device used for counting differed from what was presented on screen and on the printed tape. It would have to be done pretty far upstream and would have to be done carefully, and probably would be possible to discover by doing a hand recount of the paper tape from corrupted machines. (Absent the paper tape, of course, all bets are off, and those who sold, and bought, such machines should be ashamed if they are capable of feeling shame). Second, hand marked paper ballots as used for a couple of centuries, more or less, also do not provide a receipt. Trust is reinforced by evident physical controls like tamper-evident seals and padlocks, as well as oversight by election officials generally required to represent at least two political parties.

0
0
tom dial
Silver badge

Re: There's a fix for this

1. Is not an effective fix against those who can corrupt the code far enough upstream.

2. Hand recount of a selected small sample is not immune to manipulation by suitably placed election officials who may know which machines were tweaked.

The realistic solution is hand marked paper ballots. There is no need for, and at best marginal benefit from use of machines, although there may be some cost saving. The primary beneficiaries are the newsreaders of the nighttime news shows, and the election night shows that can "call" the elections before most of the people have gone to bed. There really is no good reason, though, that we all cannot wait until sometime the following day, especially as the official results normally are not posted for a week or ten days (or sometimes more) anyhow, to accommodate such things as legally required recounts, other recounts, and absentee ballots received after election day.

2
0
tom dial
Silver badge

Politics, at least in the US, nearly always is partisan. There may be claims otherwise, and formally non-partisan elections (as in many places for such things as judicial positions and public boards, e. g., boards of education), but it is a sham wherever it occurs. In the US, everyone at all clued in knows who are the Democrats, who are the Republicans, and who are the "independents." And those who pay close attention also know which direction the "independents" lean.

Talk about "when politics becomes partisan" is almost all nonsense.

9
0

Reminder: Spies, cops don't need to crack WhatsApp. They'll just hack your smartphone

tom dial
Silver badge

QQ

The NSA is on both sides of the issue here, in that they are responsible for creating and validating cryptographic systems on one hand and for analyzing and breaking them on the other. They seem to have insisted on improvements to DES, for reasons they did not state and did not become apparent for some years. They did less well in the case of the Clipper and Capstone chips that provided for key escrow, although the embedded Skipjack encryption apparently was relatively good.

They may have constructed the NIST recommended values with intent to weaken the Dual_EC_DRBG, or they may not; and available evidence seems not to have been produced. Their delivery of the P and Q values as "magic" numbers does not encourage optimism, but it is not proof. In any case, Dual_EC_DRBG's poor performance and observed bias discouraged its use in practice, or should have. Moreover, anyone who felt a need to use elliptic curves for pseudorandom bit generation had a usable recipe in freely available NIST publications for generating their own (different) parameters, which would not be vulnerable to any knowledge NSA might have acquired by prodcing their values dishonestly. However, the resulting DRBG probably would not have been marketable to the US government due to non-conformance with NIST SP-800-90 and its successors as well as rational doubt about the alternate parameters.

0
0
tom dial
Silver badge

Re: This is worse than backdoors into encryption

Nothing in the Register article or the Deutche Welle article to which it links gives a reason to think police collection using the authorized hacking tools "taints" evidence more (or less) than a wiretap applied to telephones in the past or a listening device surreptitiously planted in an office or residence. German law probably differs in detail from British or US law, which would require a search warrant, but certainly would have formal procedures intended to (a) allow use in criminal proceedings when properly authorized and (b) prevent unauthorized use.

US law, and probably that of many other countries, already requires that communication providers include facilities for legal wiretaps. This sounds like a backstop for cases where, even with that in place, users make such arrangements that the providers cannot give access to the communication content.

We know that lawful wiretap provisions have been misused, most famously by *someone* who used Vodaphone's Ericsson switches to bug around a hundred Greek government officials in 2004 and 2005. Although the Register article (from 2007) calls out the NSA, the IEEE Spectrum article to which it links does not make attribution, and doing so would need to consider the overall international political environment of the period 2000 - 2004 and that there might have been others, including non-government organizations, with both the expertise and motive to exploit the locally available technical resources and execute the hack. The NSA certainly is a reasonable candidate, and this would, for them, have been (under the applicable US law and presidential executive orders going back many years) lawful foreign intelligence collection. As it would have been under the laws of most countries other than Greece. The IEEE Spectrum article, at

http://spectrum.ieee.org/telecom/security/the-athens-affair

is quite interesting and well worth reading.

0
1
tom dial
Silver badge

Correction. We know the following about Dual_EC_DRBG:

- NSA provided the NIST the required elliptic curves and recommended EC parameters p and q;

- If p and q are related in a certain way, there is a back door;

- The NIST paper gave instructions those who were suspicious and wanted to roll their own could use to generate their own values for p and q, and that those instructions, if used correctly, made the probability of a back door vanishingly small (but not exactly zero);

- The probability that normal developers and users would bother to pick their own p, q was small and, as far as I know, was not done commercially.

We do not know how the NSA produced the values given in SP-800-90 and its successors. In particular, we do not know that it was not done in the way describe in Appendix A of SP-800-90.

While I anticipate a substantial number of negative votes, I would much rather see a credible reference to a source that establishes whether or not the DRBG was corrupt in fact, rather than simply constructed in a such a way that it might have been.

2
0

Judge uses 1st Amendment on Pokemon Go park ban. It's super effective!

tom dial
Silver badge

Public parks are public, generally for use by members of the public for such legal activities as they see fit. It is not obvious that AR games are intrinsically harmful to the point that they need baning or restriction, or that the horrors that the Milwaukee Board of Supervisors listed in its various WHEREASes justify the badly thought out ordinance they passed. It also is not obvious that the Supervisors, as a group, are very well suited to decide the park's intended purpose.

It also may be noted that neither the Texas Rope 'Em game and, as near as I can tell, Pokemon Go is a group activity, although it is plain that either may be played by many people concurrently and in the same general location.

1
0
tom dial
Silver badge

"Prosecute the perps," as they could have done in the first place without enacting a probably unconstitutional ordinance.

4
2
tom dial
Silver badge

Re: Amend this!

The Constitution and its amendments were intended to define the limits of federal government action (and, with the fourteenth amendment, state and local government action as well). The SJWs who at present (since Citizens United) so hot to rewrite the first amendment need to be extremely careful that any reformulation does not come back to bite them.

13
9
tom dial
Silver badge

In general, a flash mob gathering also would be protected by the first amendment. Some, or even all, of the participants might act in ways that violate the law or local ordinances, but that is an entirely different matter. The mob gathering place might have an effect, too: those in a flash mob that collected in the middle of a busy street or highway might well be arrested, perhaps for jaywalking or blocking the flow of traffic. (A content-neutral prohibition of that probably would pass a reasonable first-amendment examination).

9
0

BOFH: That's right. Turn it off. Turn it on

tom dial
Silver badge

Re: The power of suggestion

I am reminded of an acquaintance's experience on the IT support staff of a major regional US law firm.

Unless they were terminally bored, unlikely in a firm with over 400 lawyers, their standard instructions to callers were to defrag and reboot. Occasionally it fixed a problem, but in all cases it put the caller off for half an hour or so.

8
0

Feelin' safe and snug on Linux while the Windows world burns? Stop that

tom dial
Silver badge

Re: about 12 per cent of servers run non-Windows OSs!?

It is a reasonably good bet that the Five Eyes and similar signals intelligence agencies elsewhere have done the research and have a good idea of real usage, as well as the usage among their respective target populations, which might be significantly different. For a number of reasons, however, they won't be publishing anything about it.

I expect that Google and other search portal operators also would be able to report such information pretty accurately.

1
2

Everything you need to know about the Petya, er, NotPetya nasty trashing PCs worldwide

tom dial
Silver badge

Re: The real blame goes to..

Microsoft released patches for currently supported operating systems two months before the WannaCry exploit. Unless things have changed dramatically since the middle of 2012, outward facing US DoD systems were patched well before a month after patch release - the requirement then was to patch Category I vulnerabilities within 15 days of patch availability. EternalBlue unquestionably was a Category I vulnerability. So was use of an unsupported software product like Windows XP, although there is no remediation for that, not even application of a patch for the vulnerability; Windows XP would have been disallowed within the DoD as of April 30, 2014.

Use of SMB version 1 might or might not have been as severe a vulnerability, but it would have been one beginning when Microsoft deprecated it, and at worst ought to have been discontinued within 180 days, which would have been before the end of 2014.

The DoD is a far from perfect organization in IT as in other things. But the outlines of their information assurance standards are not that hard to understand or, in principle, to implement. Their implementation is tedious, annoying, expensive in terms of staffing, and all too often disruptive to the operations the IT staff support.

Many organizations, including the DoD agency that employed me, do not consider IT part of their core mission. For some, not including my agency, that result in treating it as a cost center to be starved of staff and funds to the maximum possible extent, taking heedless of the potential cost and damage that inattention to security patching and configuration can bring.

Blaming the NSA may have some merit, but their behavior in retaining some vulnerability knowledge was approved at the highest level in the executive branch and certainly is not meaningfully different from that of similar agencies in other countries. At least as much blame is due the management of organizations victim to these recent attacks.

1
0

We'll drag Microsoft in front of Supremes over Irish email spat – DoJ

tom dial
Silver badge

The hypothetical case setup was specified in such a way that the operators in the foreign jurisdiction are not able to assist, for instance because the data are encrypted using a key they do not possess. The courts in that jurisdiction might have the authority to order those under their jurisdiction to comply, but they do not have the power, and they do not have the authority to order the US based operators, who have the power to comply, to do so. US courts, under the second circuit's reasoning, do not have the authority to demand that the US operators, who are able to produce the required data, to do so. The MLATs, and the related and supporting laws, likely need to be refined to cover process in such cases; if not, it seems quite likely that such services will be offered if they have not been already.

0
0
tom dial
Silver badge

Hypothetical case:

${US Co} contracts with ${NonUS Co} for data center and storage service located physically outside the US (the two companies being unrelated) but retains full operational control of the servers and storage. ${US Co} then offers for sale email and data processing storage services to US customers, guaranteeing that all processing and storage will be offshore.

Where does the US government go for assistance when they find a US-based (alleged) criminal enterprise is using ${US Co}'s service for its email and data processing needs? Stipulating that ${NonUS Co} cannot assist under a MLAT, should ${US Co} be immune from executing an otherwise proper warrant for data related to operation of the alleged criminal enterprise?

0
12

Forums

Biting the hand that feeds IT © 1998–2017