Kal Zekdor’s Techdirt Profile

kalzekdor

About Kal Zekdor




Kal Zekdor’s Comments comment rss

  • May 28th, 2015 @ 2:55am

    Re: Re: Re: Re: Real vs Virtual

    Virtual objects are not objects, they are virtual.

    Sigh... Nine years later and people are still spouting this nonsense.

    If I flipped a couple of virtual ones and zeroes around and emptied your bank account, would you still claim that nothing was stolen from you? Or do you really believe that your money is just sitting in big vault somewhere? Ownership is a far more complicated concept than whatever physical items you can lay your hands on. Many aspects of ownership are "virtual", beyond just the obvious. Ownership of copyright, of land, of debt. These are all virtual concepts, yet they govern most aspects of our lives. This is not something new, the frameworks of virtual ownership have been around, in one form or another, for centuries.

    Shrugging all of this off as "virtual, and hence meaningless", is... short-sighted.

  • May 22nd, 2015 @ 10:15am

    Re: Re: Re: Re:

    I don't think you know what a CA does...

    The CA does not create or provide Certificates, they merely sign them so they are "trusted".

    This has little to do with the actual encryption between a TLS enabled client and server. There are at least three legs here (more if you have a web of trust instead of a single trust authority): the client, the server, and the CA. Each of these points have their own private/public key pairs. Data to the client is encrypted using the server's private key, which the CA most certainly does not have.

    If the CA were compromised by an attacker, they still couldn't decrypt communication between client and server. However, if the attacker was able to intercept traffic as a MitM, what they could do would be impersonate the server using the compromised CA. That way they wouldn't need to break the encryption, since the client is encrypting the traffic so that the MitM can decrypt it, thinking that they're talking to the server.

    Blaming third-parties for not disobeying government orders is a red herring, anyway. The government should not be allowed to issue such orders. Period.

  • May 20th, 2015 @ 4:22pm

    Theft of IP

    Just wanted to point out that it is possible to steal IP, and in context it's what Kerry was talking about. When you break or hack in to obtain confidential information that you aren't allowed access to (and possibly destroying or corrupting the original), that is most certainly theft.

    When you distribute information that you obtained legally without permission and against Copyright laws, such as sharing a movie online, that is infringement, not theft. Corporate espionage falls under a different label than infringing.

    The concepts, of course, are not mutually exclusive. The use of the stolen IP, such as by putting out a competing product based on the IP, is, once again, infringement.

    That bit of pedantism aside, this was a great article.

    TL;DR: Illegally obtaining confidential IP is theft; illegally using IP (secret or not) is infringement.

  • May 19th, 2015 @ 7:48pm

    Ion Thrusters

    Ion Thrusters are interesting, but they're not a purely electric propulsion medium. They still rely on a propellant, xenon usually, which is expelled at high speeds. They're much more fuel efficient than chemical propellants, but they still need to carry fuel, which limits the usefulness for deep space exploration. They also tend to generate very low thrust, but by the time that we really need better thrusters that might no longer be true.

    That EM drive, though.... I really hope that it's not just a mistake, and it does operate the way people think.

  • May 17th, 2015 @ 11:47am

    Re: Re: Running a CA

    Interesting, I had no idea that someone had considered the idea enough to put together an RFC on it. Thanks for the information.

    I'm not surprised that there hasn't been much interest in it, though.

  • May 16th, 2015 @ 8:45pm

    Re: Re: Re: Re: Troublesome certificates...

    They could do that; as an ISP they could intercept any https requests, and act as a MitM proxy, decrypting and re-encrypting traffic in both directions. That would be troublesome if https was only about encryption. What they would not be able to do would be perfectly disguise the traffic as coming from the original source. They would need to automatically create certs for each site that a user requests. They could make these certs appear to be from the site in question, maybe even well enough to fool the browser, but they would not be identical to the certs provided by the site, and they would all be able to traced back to a single CA. When every https site in the world is suddenly using the same CA... Well, let's just say people will notice, and there will be an uproar. See the Lenovo/Superfish fiasco.

    This type of MitM attack is untenable on a wide scale, particularly if you need to keep it quiet. Targeted attacks on less savvy individuals, however...

  • May 16th, 2015 @ 4:42am

    Running a CA

    For anyone who is worried that using https will require trusting a third-party, there is a way around that. It's not all that difficult to run a CA yourself, many Enterprises do so for encrypting internal web applications. Certs usually cost money not because of some technical cost of encryption, but because of the man-hours that are required for the CA to verify that you are who you claim to be. You can cut out the middle man by running your own CA (you implicitly trust you, right?). The downside is that the certs you create won't be trusted by default (and the hoops you would have to jump through to do so are... untenable). Clients would need to install your root cert onto their machine, which is easy to do, and then any certs you create are trusted.

    If that's too much to worry about, you can always forgo a CA entirely and use self-signed certs. No one will be able to trust them, but it's the easiest way to get encryption running. The problem with https/ssl is it's playing double duty as data encryption and identity verification. Providing encryption is cheap and easy, and solves most (though not all) of the concerns about modern web browsing. Unfortunately, encryption is caught up in identity verification/trust authority, which is difficult and expensive (though progress is being made on that front by EFF/Cloudflare/others). I'd love to see a protocol somewhere between http and https, that negotiates and encrypts traffic, but doesn't rely on a trust framework. It obviously wouldn't be as secure as https (MitM attacks would be much easier), so https would still need to be used for things like ecommerce, but it would be much better than http, and without the costs/difficulties of https.

  • Apr 30th, 2015 @ 1:18pm

    Re:

    Not the only one, no. Plenty of folks are mildly disinterested in the game even though they completely understand it. Myself, beyond interest in the world building algorithms and the possibilities of the in-game logic circuits (though the former is less about playing the game than it is interest in the mechanics, and there are better examples than Minecraft of the latter, e.g., Little Big Planet, Space Engineers), I find it rather dull.

    That said, I completely understand why so many people enjoy it. The best analogy really is an endless set of legos; Minecraft allows for an enormous amount of creative expression. But, then, I never did enjoy legos as a kid. They always felt... pointless. Instead, I spent weekends and holidays building complex engineering feats (for a kid, anyway) out of K'nex. Less about making pretty structures than seeing what you could build, struggling against gravity, structural stability, load distribution (I think I figured out the awesomeness of the lowly triangle at about 6 or 7), etc. Throw some motors in the mix, and things start to get really fun. I remember spending a lot of time messing with a remote control motor, building various vehicles.

    I guess I'm trying to explain that I'm creative, but not artistic, and that I that I think Minecraft appeals to those with an artistic tendency. Since allowing kids to explore their artistic side is laudable, I have a hard time understanding why anyone with a touch of sense would think Minecraft is bad for kids.

  • Apr 21st, 2015 @ 1:12pm

    Re: Re: Technology leads to Frankenstein tragedies.

    Isn't Bill O'Reilly registered as an Independent? Conservative, certainly, but not a Republican. Seems to me like you took two random examples on the failings of rigid, dogmatic ideologies, and interpreted it as a personal attack.

    Do you have a persecution complex, or are you posting flamebait for the hell of it? I am inclined to believe the former, though your last statement gives me doubts, so correct me if I'm mistaken.

  • Mar 23rd, 2015 @ 1:35pm

    Re: Cloudflare Certificates

    Techdirt should really know better. This is tabloid (or cable news) level bullshit. The only revelation here is that the campaign website uses Cloudflare. Good for them, Cloudflare knows what they're doing. The SSL certs used by CF often serve multiple websites. That's all that's going on here. It has nothing to do with Ted Cruz, and little to do with Cloudflare.

    I'm disappointed.

  • Mar 20th, 2015 @ 9:11pm

    Mitigation, not Prevention

    Cisco's plan makes a lot of assumptions about the NSA's capabilities, most of which aren't particularly sound...

    I don't agree. Cisco is well aware of NSA capabilities, and they know that this plan isn't enough to prevent tampering en route. With enough tracking/surveillance/infiltration of Cisco operations/personnel, the NSA can and likely will still find, intercept, and tamper with intended targets.

    In that case, why did Cisco bother? Two reasons. First, which was touched on in the article, is to simply make a statement. They are proclaiming to the world and to the NSA that they're not willing to sit idly by while the surveillance state drives their reputation (and their bottom line) into the ground. This is a symbolic protest as much as an actual mitigation.

    Second, yes, this is a mitigation. These precautions won't make it impossible for resourceful (in both meanings) third parties to intercept equipment, but they will make it more difficult, and thus costlier. Even the NSA only has so many man-hours it can direct. If it now takes twice as many man-hours (an over-estimation, I'm sure, but no matter) in order to backdoor a router en route, then they are only able to do so half as often.

    Cisco, or any US based company, can only do so much to thwart the surveillance state. Any pushback, however minor or symbolic, is to be applauded. On the same note, any willful collusion should be considered a betrayal of their customers, and the public at large.

  • Mar 4th, 2015 @ 3:50pm

    Re: Re: grammar bugaboo

    Though, I'd like to point out that the first parenthetical in his post follows a full stop, and encapsulates a discrete sentence. In informal grammar, this indicates an aside, a thought tangentially related to the current topic, but not fitting in the paragraph flow. (Yes, in case you were wondering, I am enjoying myself.) It is perfectly valid, though, again, less than formal.

  • Mar 4th, 2015 @ 3:34pm

    Re: Re: grammar bugaboo

    Over a century, in fact.

  • Mar 4th, 2015 @ 3:32pm

    Re: grammar bugaboo

    It's acceptable semi-formal grammar, though "So" should most correctly be followed by a comma, as it is being used as an opening interjection.

    "So" as a magnifier is what annoys me: "This is so annoying."

    So, it appears that the logomachists are out in force today.

  • Mar 4th, 2015 @ 12:38am

    Re: Nothing "disappointing" here

    I don't know where you've been living, but cars that lock themselves automatically are most certainly a thing.

  • Mar 3rd, 2015 @ 4:13pm

    Disappointing is the word.

    The main performance bottleneck on encrypting these devices is caused be the lack of a dedicated hardware encryption chip. That costs money, and necessitates a major hardware redesign. So they tried software FDE, which has performance costs. The performance drag was too great, so they complained to Google.

    Google quietly backpedaled their encryption requirement. Not permanently (at least according to them), but just an extension to give the manufacturers more time to meet the requirement.

    So... disappointing is the word. Especially how Google loudly boasted about always on encryption, but was nearly silent about pushing back the requirement.

  • Feb 23rd, 2015 @ 6:40am

    Re: hmmm

    Don't forget ftp://*.*/*

    Hell,just go with ip://*.*.*.*:* and shut down the entire internet! That'll surely cause sales to pick up!

  • Feb 23rd, 2015 @ 6:24am

    40 out of 95

    Wow... Of the 95 "infringing" urls in that link, I have been to at least 40. My day to day job as a software developer has me using at least a dozen of those just to get anything done.

    Utterly absurd.

  • Feb 19th, 2015 @ 2:54pm

    Hard Drive Firmware

    It is certainly feasible that the NSA did not need access to the firmware source code in order to pull off these kind of attacks. Ars Technica has an article explaining. These drives use standard debugging interfaces, and, with a bit of work, anybody with the right skill set can reverse engineer the firmware.

    That's not to say that the NSA didn't have access to the firmware source. They certainly could get at it if they wanted. Just that they did not necessarily need the source in order to write this kind of malware.

  • Feb 19th, 2015 @ 7:47am

    Re: Re: Re: Re: Re: Re: Domino Theory Isn't Right

    Since competition doesn't exist, and because they're trying to charge me and everyone else for imaginary resources, I believe they are engaged in anti-consumer, monopolistic, behavior that is not required for the health of the network or for their own business requirements and therefore should be regulated.

    Yeah, that's the crux of the matter right there. If there were real competition in the sector this sort of activity would be fine. Arbitrary limits on usage can reduce network saturation. The result for the end consumer is a less useful and more expensive service, but that would be fine, if there were alternatives.

    However, ISPs (both wired and wireless) have spent the last two decades or more deeply entrenching themselves. The networks they operate were often subsidized, at Federal, State, and Local levels. They have spent millions of dollars lobbying (successfully) for anti-competitive laws of their own design. They have either natural or government (Local or State) granted monopolies in most of the regions they operate in. They collaborate with their so-called competitors, dividing territory and colluding on prices and practices. All while providing what few would disagree is a basic necessity of modern life.

    When all the significant providers of a necessary service engage in collusion and anti-consumer behavior, it is, and rightfully should be, time to regulate that industry. I don't lightly suggest regulation. Careless or unnecessary regulation can have enormous costs and serious repercussions. However, ISPs have shown time and again that, like the banking industry, they will engage in anti-consumer behavior for so long as they are permitted to do so. It's time to tell them otherwise.

More comments from Kal Zekdor >>