I don't think the literal meaning is as important as the context of the core of the name, "science", being used as a label for a belief that is meant to replace religious belief. Thus, it's fair to say scientology is intended to be a kind of worship of science. Well, except that their belief system is just pseudoscience. Scientology completely misses the core of the philosophy of science which is a process of creating theories which are testable and using test results to alter or negate those theories.
At the end of my senior year in high school I organized a group who came onto campus in the dead of night, opened the circuit boxes for all the bells (not fire alarms) and cut the wires. This was primarily a political statement but did have the timing and elements of being a senior prank. I was one of those actually in the halls cutting wires (Don't get excited, statute of limitations has long ago eliminated the possibility of prosecution). We had several lookouts, including outside at each end of a hall (yes, we had copies of keys). Although the lookouts had earpiece walky-talkies one of them was caught unawares by the lone custodian working at night. We weren't aware that custodians worked at night. Luckily, the custodian didn't notice us inside the hall and so we finished and only saw the him and our companion at a distance. We sprinted through the sports fields to the get-away car and were not caught. The administration never connected the bell malfunctions with that student trespasser. The most surprising incident was that the custodian brandished a gun in front of that student. Even back then, anyone carrying a gun on campus was a big no-no. We didn't report him though for obvious reasons.
What strikes me most about this story is that the liaison officer was monitoring the students via social media and was the one who told school officials about a tweet referring to the fake letter. Is this becoming the standard now for school districts across the nation?
It seems appropriate for the police, including the liaison officer, to investigate something that occurred off-campus. What is very inappropriate is that he was investigating who created the letter. That creation is clearly parody, not a crime, and not subject to school policy because it is thought to have been done off-campus.
If the letter was delivered to a specific subset of students homes it could be considered sexual harassment. If so, it still doesn't rise to the level of any crime that I am aware of and isn't subject to school policy because it was off-campus. I do fault Tim for not recognizing the sexual harassment aspect. He apparently missed the session on sexual harassment at re-education camp. I will inform the proper authorities. Tim, sexual harassment is not funny! Vaginas are not funny! No, no... NOT FUNNY!!
I remember that a similar, photoshopped, image was unscrambled by U.S. law enforcement. That person was identified from the picture and arrested. It should be relatively easy to reverse the smearing of the face of the man on the right. Who applied the smearing? Glenn Greenwald, the publisher, or some NSA hack?
I believe I was going to be on the jury pool for this trial. I had been called to show for a trial on March 31st, just the time this started and the estimate was 6 weeks for it's length. Odds are I would have been dismissed from the jury because I know too much about the issues involved. As it happened, I was hit by a car and fractured my pelvis so I couldn't easily get to court. Was I better off?
A good friend of mine is a very religious Christian. She is also very gullible. I am not saying one characteristic is a requirement for the other but I do get chain emails forwarded from her that often combine these attributes. Once, when I brought up Dr. Seuss she told me of his dark side, wherein he had published an adult pornography book. Well, I had to look that up! I did confirm that the book in question was titled "The Seven Lady Godivas" and it was intended to be a humorous story for adults but there was no intention of causing titillation. Yes, there is nudity but it is a cartoon nudity and hardly qualifies as sexual or prurient content. If a cartoon were made based purely on the illustrations in the book, it would be rated PG and not even PG-13. When I showed her the actual illustrations, my friend was amused and disabused of her impression that Dr. Seuss had this ugly dark side. Yet, there are folks out there who feel that even this book is obscene, pornographic, and evil because it has the appearance of a children's book. I wonder if the Toronto library has a copy of this title?
It's amazing to me how naive some journalists are with respect to science or technology. The following quote from the story should tell anyone with even the least understanding of networking that the mesh networks described cannot be secure.
“I just put my router up, and it will connect to anything it sees,” Ms. Gerety said. “You just keep putting up more routers.”
Doesn't the NYT have fact checkers or editors anymore? They certainly do have some reporters who are quite knowledgeable about science and technology in general and the Internet in particular.
Mesh networks are in use in the US although you may not be aware of it. For example, the network behind PG&Es smart meters is a mesh network. Now that one is supposed to be secure, using encryption to ensure confidentiality and exclusivity.
“This kid, when he was in high school was in the top of his class. He was extremely gifted. So he sent a letter to the [London District Catholic School Board in Ontario] indicating that their school system was susceptible to hacking.” The attorney said the school officials were nonplussed. “They said they’d like to test it themselves. He was a quote computer nerd unquote and they didn’t take him seriously.” So the 14-year-old, Joseph claims, went into the computer system and found “all the confidential information.” But then, right when things could have turned criminal, Joseph said his client stopped. “He could have changed everything, and changed nothing,” Joseph said.
This article doesn't expound the problems with laws concerning unauthorized computer access but it is not missing the point either. I don't know what the penalties are in Canada for unauthorized use of a computer but in the U.S. the CFAA is a one-size-fits-all law where any unauthorized access has a maximum penalty of five years in prison. There is a wide range of criminality lumped together as violations of this law and it includes white, or gray, hat hackers who exercise an exploit simply to prove it was possible. Even with the best intentions, if such a hacker accesses a computer they don't have permission to access, the penalty is 5 years in prison. The law against unauthorized access should not have such a draconian penalty. The heavy penalties should apply to those who exhibit more nefarious intentions by also committing fraud or theft based on the information they illicitly acquired.
I agree that a single word, either untouched or mangled, is not secure. This is true regardless of what language is used. Back in the 90's I used to use Hungarian words thinking that language was fairly obscure, only 11 million speak it. Wrong, it is now one of the standard languages used for dictionary attacks.
The current state of password cracking allows secure use of passphrases though. A coarse attack against a passphrase using a dictionary of 20,000 words requires an effort of 20,000 ^ N, where N is the number of words. If N is 2 that effort is 400,000,000 (actually 200 million on average) This is still not secure. 3 words requires an average effort of 4 trillion guesses. This is still not secure particularly if the words are not random but a sentence fragment. The security can be increased with mangling but it is better to choose a basic length without considering mangling. 5 random words requires and average effort of 1.6 x 10 ^ 21. This is very roughly equivalent to a binary key of length 70 (70 bits of entropy) and with mangling can approach a password that, depending on the hashing algorithm employed, even the NSA will, currently, have a hard time cracking in a reasonable time. If one uses a larger dictionary, say 1 million words including all sorts of technical words, a random 3 word passphrase requires an effort of, roughly, 10 ^ 18 guesses. Finally, if a, nonrandom, grammatical phrase is used, it should not be well known (e.g. book title, song title, lyric, famous quote, or a spelled out TLA)
It is good advice to suggest longer passwords. Unfortunately, many websites have a length limit which is too short. My credit union, a Silicon Valley financial institution no less, had an upper limit of 12 characters for passwords used for online banking. I discussed the problem with them about such a limit 3 months ago. As it happened they were in the midst of making changes directed towards making the site more secure. As a result, they increased the limit to 20 characters which is tolerable but not ideal.
A randomly generated password of 12 characters, using a good sized character set significantly larger than the set of alphanumeric characters, is fairly safe. This works well if you use a password manager and don't have to type, much less memorize, such a password. Passwords that don't require a lot of effort to memorize contain less entropy, so they need to be longer to be secure. I suggest 20 characters as a minimum. I used to use book titles along with a random 4 digit number. No longer is that safe. Now, for my 94 passwords, I use random sentence fragments from books along with numbers (I won't disclose any more, security through obscurity does have limited value). I keep all my passwords in an encrypted file. I find I can remember passwords that I use at least once a week. I don't need mobile access so I have not utilized a password manager. My solution is not the only good one and I do test it with a password cracker.
I believe the gist of this story is not so much blaming someone it's that both government and industry rely on an Internet which needs funding for critical areas involving security. One of the NSA's primary roles is ensuring the security of the Internet. That role can be filled by a government agency that provides, at least, funding to create and maintain the underlying code. There will never be trust in code used for confidentiality and authentication unless it is open source. Also, as many people are saying, the NSA can't play this role when it also has the role of spying on communications.
The KQED program about PSS quoted one LA sheriff as saying that this was a test and LASD is not planning to use PSS on a regular basis. Not that privacy was the issue that swayed them against adopting it, rather it was cost vs efficacy in solving crimes. The LASD does care about public opinion concerning surveillance insofar as public outcry can serve as an impediment to the adoption of any particular technology by the law enforcement.
Even if the cameras in the plane were higher resolution facial recognition still cannot be applied to the images. That is, unless you can get the person to look up at the plane somehow. One of the LA sheriffs noted that PSS posed the least intrusive surveillance technique compared to the other new technologies coming in to play.
Whenever there is a credit card or debit card payment involved, a retailer or any other sort of business has a contract with the credit card companies and the banks that issue such cards. That contract obligates the retail business to comply with the PCI-DSS (Payment Card Industry Digital Security Standard). When there is a security breach there will be an investigation which will determine whether the retailer was in full compliance with PCI-DSS. If not, they will be liable, rather than the banks, for losses due to resulting fraud. Also, additional fines can be levied against the retailer. Given this, it is a bit odd that the FTC is trying apply civil penalties via a lawsuit outside of this existing mechanism. There is a lot of argument about whether compliance with PCI-DSS is enough to prevent most attacks. Compliance is expensive, time consuming, and the bureaucratic line item approach misses out on some intuitively obvious ways to better ensure security. Yet, it is at least a fairly comprehensive standard which the FTC is lacking.
Although the prosecution was brought by federal prosecutors within the DOJ, this case was initially investigated by the FBI at the behest of AT&T. I don't think one can minimize the influence of AT&T in getting the government to pursue this case, although the details of that influence will probably never be known publicly. The case was, and is, such a weak one that never should have been pursued. Recall two people were charged; Andrew Auernheimer (Weev) and Daniel Spitler. Spitler pleaded guilty to the charges and was sentenced to 3 years probation on January 24, 2014. Compare that to 41 months of prison for Weev. This is yet another example of how people are severely punished, particularly in federal court, for fighting the charges against them.
I will provide the following timeline that shows how quickly the FBI got involved.
June 3, 2010 - June 8, 2010: Spitler and Weev collect email address/ICCID pairs.
June 6, 2010: Weev send emails to a handful of top media personnel whose emails were collected. He briefly explains how he came to know their email address and invites them to interview him. Weev explained that this was his way of, indirectly notifying AT&T of the security vulnerability.
June 7, 2010: AT&T is notified of the security breach by a “business customer” who is not identified by AT&T.
June 8, 2010: AT&T has stated that they fixed this vulnerability, by Tuesday, within hours of being notified of the problem. They did this by disabling or removing the code which pre-populated the log-in page with an email address.
June 9, 2010: Weev contacts Ryan Tate of Gawker gives him the list of email address/ICCID pairings and details about their uncovering of AT&T's security hole. Gawker publishes and article that very afternoon including a handful of redacted pairings that were for notable people.
June 10, 2010: Gawker is contacted by the FBI and issued a formal preservation of evidence notice.
You can see that the FBI was involved very early on. I can imagine that they were contacted by some executive at AT&T as soon as AT&T had learned of the breach.
I am not sure the NSA actually needs that site. It may be just convenient as there are already facilities there now. The original rationale for using the radio-quiet area is to avoid radio interference in detecting weak signals reflected off the moon (USSR, cold war, etc...). The original concept of a 600 ft. radio dish antenna was never completed. I will hazard a guess that it was replaced by the utilization of Diego Garcia which, via atmospheric properties and positioning on the globe, allowed for monitoring of Russian radio signals. So, Sugar Grove's main purpose for the NSA has been as a COMSAT receiving station. These are our own satellites so weak signal detection is not an issue. I don't think that the fact this NSA facility is in a quiet area is going to help them detect nefarious groups who are trying to snoop on the NSA. Most such radio frequency snooping is passive. Better solutions are encryption and physical protections like the false facade of the Puzzle Palace.
Electro-sensitives can celebrate as Sugar Grove is going to be shutdown by September 30, 2015. http://cryptome.org/dodi/2013/opnav-5400-2215.pdf Oh wait, the liability shift for adopting chip and pin credit cards happens on October 1st of that year. They are going to have to abandon their credit cards as well.
Firstly, I want to say that I agree, wholeheartedly, with the ACLU and these databases should not retain detain data for more than a few days. I will now argue as a devil's advocate and point out that there is a good reason to retain ALPR data for years. The value that law enforcement sees in long term data retention are for cases that are unknown at the time the ALPR record is made. For any new suspect the database may provide a number of records that may or may not be useful in the investigation. Even if the value of that data is minimal you cannot argue that it is a waste of resources for the simple reason that technology has made the recording of license plates, creation and retention of this data in a database so damn cheap.
The argument against long term retention should be focused on the fact that this is yet another method to automatically track the movements of nearly all citizens. Currently, the majority of people will have their cars recorded, either not at all or only a few times a year. That is not so worrisome. However, these use of these systems is rapidly proliferating and when your car is recorded everyday that data, whether in the hands of government or a private company is rather worrisome.