The purpose of the raid was clearly intimidation. It worked but it bothers me that law enforcement considers that sort of tactic justified. On his blog he says he had just returned from a turkey hunt. He was damn lucky the swat team didn't show up as he was returning, gun in hand. In that sort of situation if Deric, amidst the surprise and confusion, had reacted wrongly in the slightest way without meaning to, he would have ended up with 57 bullets in him before getting a chance to say anything.
Was it just his loose affiliation with "Anonymous" that motivated the FBI to stage such an intimidating raid? Who knows, but it certainly wasn't his record of having never been arrested before.
That is interesting, but I don't believe it extends, in general, to other law enforcement activities. Some parolees, no doubt, have agreed, as part of their parole, to have their social media accounts monitored. Neither IP address or cookies alone will identify an alternate account as belonging to the parolee, so they had better be pretty damn sure their not accessing the account of someone else. I would like to know the grimy details of how hidden account access takes place. Another troubling aspect is that friends of the parolee have lost some privacy here. This could be considered similar to the case where law enforcement has the right to search a car if one of the passengers, even a hitch hiker, is a parolee.
The NSA wears two hats: 1) to collect signal intelligence on foreign governments and individuals and 2) protecting the communications of US government, business, and citizens as well as general computer security stuff. For example, a secure linux version was developed by the NSA. Ostensibly, Google's arrangement with the NSA was to help investigate the Aurora attack and help secure Google's servers against further security breaches. Although, you never know if the NSA is keeping it's other hat in their back pocket.
Glenn Greenwald, working for the Guardian, who along with reporters at the Washington post have apparently gotten a series of leaked documents from a source connected to the NSA, writes today :
"I don't have time at the moment to address all of the fallout because - to borrow someone else's phrase - I'm Looking Forward to future revelations that are coming (and coming shortly), not Looking Backward to ones that have already come."
Prism is a colorful euphemism for siphoning off private information and communications directly from company servers. I would prefer the name "vampire tap" which also has the basic meaning of creating a branch off a communications network for those old-timers who remember the yellow coaxial cables for Ethernet. It also has the more truthful connotation of sucking the lifeblood from the American people. Then again, maybe the younger crowd, who seem to idolize vampires, wouldn't mind.
It is not patent infringement to do research on a subject or device that is covered under a patent. It is not patent infringement to even create a device that is already covered by a patent belonging to someone else. Infringement only happens when someone, without licensing a patent, tries to sell a product, or license the technology, or file their own patent (interference). Solaroad Technologies, Kahrl Retti in particular, has jumped the gun in whining about patent infringement. They have done it in a way that comes across as sour grapes and jealousy toward an 18 year high school girl.
Firstly, you should know that if Eesha Khare were to try to commercialize what she got the Intel Young Scientists Award for, the intellectual property would be assigned to the University of California, as she did her work under the tutelage and in the lab of Yat Li at UC Santa Cruz. You might have done a lot better by just sending a threatening letter to the UCSC Office For Management of Intellectual Property rather than give your company some bad publicity by resorting to petulant whining in the tech media. Do you seriously think that projects for the Intel Science and Engineer Fair should be vetted beforehand for possible patent infringement? The focus here is on science education. The $50,000 award that Eesha Khare received was for her education, not an investment into a, potentially infringing, product. Finally, Eesha khare may eventually start up or be involved with a company that looks to actually develop a real usable product based on supercapacitors. Then, and only then, should you threaten and sue if you really think your patent (if not abandoned) is being infringed upon. We look forward to that future court fight.
Wally has pointed out several issues with how Google operates. They are somewhat related but not closely enough for me to figure out what point he is trying to make.
-the use of spiders is the first step to setting up a search index of the web. It is the bottom layer here. Necessary, but any kind of page rank algorithm (relevancy?) takes this basic information and tweaks it in their own way. On its own, an index of the web does not determine page rank. This was Google's innovation back in 1998.
-There is a basic issue with user privacy vs Google's business model of using search data as a basis to extract advertising dollars. I have not recently followed their data retention practices, so I accept his statement of 9 months limit or lack of it. However, what has this got to do with the story at hand here about TerraCom's security/privacy issue?
-Someone else (the user in the industry?) thinks that Google is being lax in security because they list the URLs for which the robots.txt file is asking not to be followed. This is not any kind of security failing. I assume that Google's spider is not recursively following the hyperlink that URL represents or executing any code to produce a dynamic web page for that URL. That is the real intention of robots.txt. I think it is a minor issue that Google now lists the URL that begins a blocked branch. As the robots.txt file can be simply ignored, any real attempt to restrict access to the data on that page should require an authentication/authorization step.
Google's security interest in labeling certain sites as dangerous is completely separate from any concern about indexing pages that the owner would rather have private. Such dangerous sites are identified, as best as possible, to contain malware such as a cross site scripting vulnerability.
In Wally's final sentence I don't see the connection between the technical ability of Google to view the content of email on the gmail domain with the security failings of TerraCom/Vcare. A series of statements with varying validity that do not have any obvious connection is, to me at least, the definition of rambling.
Maybe I am being too critical. After all this is just a forum where people, perhaps with limited time, just throw out thoughts to be consumed and either ridiculed or praised. I am loathe to trot out my credentials, but I have worked on network protocols for thirty years and network/computer security for 6 years.
The use of robots.txt is in no way a security measure. It was never intended to be and definitely should not be used as such. It is simply intended to relieve servers of unnecessary traffic as a result of spiders actions. Any script kiddie can do the same thing as a spider and intentionally ignore the request that robots.txt files represent.
I kind of doubt it because this clever high school student worked with a John Hopkins University researcher and used the lab facilities there. It would seem that John Hopkins University would have the intellectual property rights over this invention in the form of a patent.
I believe the motivation for usurping student copyrights is that school boards are notorious for grasping at whatever mechanism that gives them control over students. Suppose a student wrote an essay that, heaven forbid, caused a disruption in school and the community at large. What better way to suppress it, in this internet age where duplication is so easy, by claiming copyright infringement everywhere it appeared. Oh, "fair use" what's that? School boards always have more important considerations in protecting the children.
So, it seems the rationale for phone based browsers always going through a specialized proxy is that the proxy will do the compression and rendering that would tax the limited processor(s) on the phone. The user sees a quicker response time. The rationale for becoming a MITM during an HTTPS session is, again, to allow Nokia servers to the rendering which can only be done for an unencrypted web page and compression which is only effective on unencrypted data. Also, the browser will be smaller if it doesn't have to distinguish HTTPS from HTTP traffic and then do all that rendering and compression itself.
It would have been nice if Nokia, and other smart phone makers, had been more upfront and explicitly pointed out the compromising effect on HTTPS of how they use their proxy servers. I can't say I'm surprised with their attitude of we don't actually eavesdrop so it's all OK. What is a little surprising is how they "fixed" this, supposedly in response to Pandya's blog. They now tunnel the HTTPS connection through an HTTP connection to the proxy. One does not need to use a proxy at all in this case though. Perhaps it was easier and quicker for them to still funnel all traffic to their proxy servers. I don't understand why Pandya notes that this is better but still "bad news" as the HTTPS traffic in this situation provides confidentiality.
This whole issue of compromising the confidentiality of HTTPS traffic should soon be moot as phones, smart phones in particular, incorporate more powerful processors. What is a bit scary is if law enforcement decides that such proxies should be required solely as an eavesdropping point for their purposes. I would be surprised, for any Nokia proxies in the U.S., if law enforcement didn't claim that CALEA required Nokia to store and allow access to compromised HTTPS traffic when a warrant or subpoena was served.
The PCI DSS covers business practices. Conforming business must provide a method to transmit card data securely. If the client decides to defeat that security by going through a proxy that does not tunnel the HTTPS connection then it is not the fault of the business and does not violate the PCI standard. Maybe Nokia isn't explaining well to it's clients that using their phones essentially breaks the confidentiality of all information passed through an HTTPS connection but NOKIA isn't the processor of the card transaction and so doesn't come under the PCI DSS standard. They also claim not to look at or store this information so a business could still claim to be compliant even if they encourage transactions over a NOKIA phone.
The same arguments work for HIPAA. NOKIA is not a health care provider and although they may have potential access, they do not eavesdrop or store the data. A close analogy would be talking to your doctor over the same phone in a voice conversation. Although NOKIA, ATT, or whatever telecom, has potential access to this conversation, they supposedly don't listen in or record such things without a warrant with the small exception of the NSA's nationwide warrantless eavesdropping program which will soon record everything.
I think we have reached a point though where the security practices of communication intermediaries need to be taken into account in such standards as HIPAA and PCI DSS.
Since the cam was taken as evidence, there must be tracking showing all who were in possession of it. The video itself is certainly evidence pertaining to the two charges Henderson has been accused of. One, of at most a handful, of law enforcement officers who handled the camera had to have deleted the video and thus deleted evidence that would have been useful in the trial. The police here have put themselves in a bad situation and I'll bet charges will be dropped before a trial occurs. Recovery of the deleted video would help Henderson's case tremendously.
Although the HIPAA violation is noted in the citation the policewoman handed out Henderson was actually charged with just "obstruction of legal process and disorderly conduct, both misdemeanors". This is enough bullshit on it's own but it looks like the law firm that handles the misdemeanor prosecutions in that county decided the HIPAA violation was just too much bullshit.
In the article, the police claim they didn't delete the video. I am not specifically familiar with digital cam filesystems but if it is close to typical computer filesystems then deletion means just deleting the directory entry. In fact, the directory entry may still be there, and with a timestamp, but just marked as being invalid. It is possible that Henderson could recover the file, but he should try to do this before using the camera further. If he used a computer forensics expert to do this the recovered file could be more convincingly used as evidence in court. If during trial the policewoman testified under oath that she did not delete the video and then evidence was presented that the video was actually deleted, well, that would be perjury proven.
This is currently true which is why it is not so worrisome that they are working on such a standard. Standards have to be adopted and implemented and the ITU, or it's former moniker CCITT, does not have a good record on getting telecom initiated protocols standards adopted in the real internet world. A case in point, the Internet uses the TCP/IP protocol stack rather than a protocol stack based on the OSI Reference Model. The fact that a proposed DPI standard does not take privacy into account only makes it harder for the ITU to have any success in getting the standard adopted.
What is worrisome is if global politics change enough so that ITU can mandate such standards. This is why what happens at the current WCIT meeting and the response of the world outside of their star chamber is so critical. However, I see the most likely path for adopting DPI standards is for individual countries to mandate this ability via laws such as an expanded CALEA in the US. This has to be done in a way that allows the protocol stack to still be interoperable with countries that respect privacy.
I apologize in advance for all the techy acronyms but my time is limited today so I am being lazy in writing this.
I like that story. Not that it matters anymore, but taxi cab storage was probably a bad idea. The disks were undoubtedly the "Winchester" type and when powered down the head would be parked on a "landing strip". Still, subjecting these drives to jolts from a taxi riding over bumps in the road could damage the head or cause it to be misaligned. You would have known though it that actually turned out to be a problem. Also, I wouldn't trust a taxi driver with the company database. Although, that is probably due to an unreasonable bias towards cab drivers. I won't mention the numerous arguments with them (not in the U.S.) over fares and the one physical fight with a driver who nearly ran me down while I was walking.
In this case they were not dealing with unknown malware that was steadily erasing the system as they watched. There was, apparently, a delete event at a single point in time that had repercussions that made things disappear while people worked on the movie. I'll bet things disappeared when whatever editing was being done required a file to be refreshed. A refresh operation would make the related object disappear when the underlying file was no longer available. Apart from the set of files that had already been deleted, more files could have been corrupted when the computer was unplugged. Having said that, this occurred in 1999 when they were probably using the Ext2 filesystem under Linux. These days most everyone uses a filesystem that includes journaling which protects against corruption that may occur when a computer loses power. Ext3 is a journaling filesystem and was introduced in 2001.
In 1998 I had to rebuild my entire home computer system. A power glitch introduced corruption in a Windows 95 system file and use of a Norton recovery tool rendered the entire disk into a handful of unusable files. It took me ten hours to rebuild the OS and re-install all the added hardware, software, and copy personal files from backup floppies. The next day I went out and bought a UPS. Nowadays, sometimes the UPS for one of my computers will fail during one of the three dozen power outages a year I get here. I no longer have problems with that because of journaling.
Oren Jacob, the Pixar director featured in the animation, has made a comment on the Quora post that explains things in much more detail. The narration and animation was telling a story, as in storytelling. Despite the 99% true caption at the end, a lot of details were left out which misrepresented what had happened. Still, it was a fun tale for anyone who had dealt with backup problems. Oren Jacob's retelling in the comment makes it much more realistic and believable.
The terabytes level of data came from whoever posted the video on Quora. The video itself never mentions the actual amount of data lost or the total amount the raw files represent. Oren says, vaguely, that it was much less than a terabyte. There were backups! The last one was from two days previous to the delete event. The backup was flawed in that it produced files that when tested, by rendering,
exhibited errors. They ended up patching a two-month old backup together with the home computer version (two weeks old). This was labor intensive as some 30k files had to be individually checked.
The moral of the story. Firstly, always test a restore at some point when implementing a backup system. Secondly, don't panic! Panic can lead to further problems. They could well have introduced corruption in files by abruptly unplugging the computer. Thirdly, don't panic! Despite, somehow, deleting a large set of files these can be recovered apart from a backup system. Deleting files, under Linux as well as just about any OS, only involves deleting the directory entries. There is software which can recover those files as long as further use of the computer system doesn't end up overwriting what is now free space.
My favorite album that uses a lot of sampling was one of the earliest uses of sampling, Brian Eno and David Byrnes 1981 collaboration on "My Life in the Bush of Ghosts". A brilliant set of songs! I am now wondering if they will see some sort of lawsuit.
A distinction should be made in how school officials can react. Certainly a school should have a program that teaches about bullying (what constitutes bullying, what motivates bullying, and how it can be handled). They could even hold discussions in response to a particular incident. The school is not responsible for a students actions outside of school or school sponsored events. Schools should not usurp the parents authority. When a public school is in session, school officials have a role as a surrogate for the parents or as an extension of the state. Punishing speech or behavior occurring outside of school is beyond their jurisdiction. Perhaps the best response is to inform the parents of any instigator and arrange a conference if the parents agree.
How far does the schools responsibility and authority extend? If a student accesses Facebook from school using the school equipment and internet connection, clearly the school has authority. What if the access is from a students phone during lunch break? What if the student accesses Facebook from a phone while walking or riding home or to the local fast-food joint? The answer to these questions apply not just to bullying behavior but also in the same way to any sort of speech.
In addition to location, let's look at ownership of equipment as a factor in determining the schools authority.
Austin Carroll, the Indiana high school student who was expelled for a profane tweet did this from his home. He used a school issued laptop which was configured to use a school server as a proxy in accessing the internet. After logging in to the school website, which is the home page upon launching the browser, he had access to the internet which appeared to him exactly the same as just going through his local ISP connection. The school claims that their ownership of the laptop and forced routing through the school network gives them the authority to censor his speech as if he was physically at school. Is it enough ownership to claim authority if Austin had used the school laptop and avoided going through the school's network? Would the same logic apply if he used a school issued pencil to write an objectionable sentence? My feeling is schools should only get involved if speech occurs at school or a school sponsored function and, if applicable, using school owned equipment.
When a student is not at school he or she has them same free speech rights as anyone else (I am disregarding, for now, the parents say in the matter). There is no restriction on what people this speech is in reference to. They can talk about teachers, school officials, and other students. The school has no authority here even if the speech rises to libel or slander. The school can, of course, contact law enforcement or the parents playing the role of informer or counselor. Teachers do not have the same freedom, as they have a responsibility to maintain the privacy of students and are subject to restrictions that any other government employee would have.