sigalrm’s Techdirt Profile

sigalrm

About sigalrm




sigalrm’s Comments comment rss

  • May 1st, 2015 @ 2:18pm

    Re: What about the driver "agreed"?

    Coercion works wonderfully well for the cartels the DEA is fighting - why would you expect the DEA to deprive itself of such an effective tool?

    At the end of the day, I think Nietzsche has it covered quite succinctly: "He who fights with monsters might take care lest he thereby become a monster. And if you gaze for long into an abyss, the abyss gazes also into you."

    When the tactics of the "good guys" start to be indistinguishable from those of the "bad guys", it's time to take a step back and re-evaluate the situation. Because lets face it - the DEA's actions here - aside from the court fight - are identical to some of the tactics cartels use.

  • Apr 28th, 2015 @ 8:37am

    Re: Re:

    from http://arstechnica.com/security/2015/04/19/researcher-who-joked-about-hacking-a-jet-plane-barred-fro m-united-flight/

    "Roberts recently noted the lack of response he's had from manufactures in the aviation industry for the past five years"

    I was at a registration-required, but otherwise public, conference Roberts presented at few (3 or 4) years ago, and had an opportunity to speak to him a bit one on one about some of this (I was actually attending the conference for free as part of a deal Infragard had worked with the conference organizers).

    This isn't a new thing, It's not the first time the airlines and feds have been notified about these problem, and it's not going to get fixed anytime soon.

  • Apr 23rd, 2015 @ 1:00pm

    Re:

    whoops:

    "Reclassify the internet as not a public utility" should read "Reclassify the internet as a public utility"

    Anyone else ever with there was a way to edit comments here?

  • Apr 23rd, 2015 @ 12:52pm

    Re:

    "This merely pushes the issue back one level. It is perfectly possible to store encrypted files on an encrypted file system. There is no requirement that the two encryption schemes share a common origin, scheme, or code base. You likely do this every day without realizing it: what do you think audio codecs are, or image/file compression?"

    Pushing the issue back one level would be regarded as a significant win by the folks proposing this, as it dramatically reduces the number of people out there capable of working around the technical control. As to the other point above, as you say, there's no requirement, per se, for any common format or code base, but realistically, if you want to communicate effectively, you need some sort of a common system, and whether or not they realize it, most people aren't sufficiently competent to roll their own. This leads, inevitably, to common systems, format, code, and ciphers.

    "If the government does mandate broken encryption on a device, you can bet that anyone wanting to keep their files secret will just put another private layer on."

    Given de-facto control of an OS, there's very little that can be done on a system that you can't also control.

    Also, onto your final point: not all problems can be solved with technology, which is why you back up the technology with:
    ... or you could just go the route England did: "unencrypt this for us or go to jail".

    It's not "or", it's "and". Possible financial and reputational ruin, coupled with the possibility of jail time, is a fairly hardcore administrative control.

    Never underestimate the effectiveness of a public execution (literal or figurative). The hard core penalties sought by prosecutors under, e.g., the CFAA - think Aaron Schwartz, or Deric Lostutter (who's hacking under the alias KYanonymous brought about 2 rape convictions), and is now facing more prison time than the rapists because of it? Yes, prosecutors will put the person away for a long time, but that's arguably a secondary goal - The primary goal - and we hear it stated over and over by prosecutors, county sheriffs, police captains, etc - is deterring other people from undertaking similar actions.

  • Apr 23rd, 2015 @ 11:41am

    (untitled comment)

    "So how does the government go about making these shared key schemes mandatory? Bernstein v. United States established that source code was an expression covered under the 1st Amendment."

    The US Government can't (legally) regulate the source code. So what? They don't have to. They can regulate access to public utilities.

    Reclassify the internet as not a public utility. (for bonus points, subsidize access to it to ensure no one is left out based on their ability to afford it) and then specify the technical requirements for connection to it. Make one of those technical requirements "responds appropriately to key escrow validation query" or something similar and they're set. No valid response? No network access for you, and the technical data about the system gets logged for investigation.

    Mobile providers are already regulated this way, so no issue there - they just need to add back-end hooks to make sure the OS is "government approved".

    The technical capabilities already exist to do this at medium to very large scale, but they might require some tweaking to scale appropriately to, say, Cox Communications or Verizon Internet. Google "posture validation" and "network admission control". For a fair number of these networks, the code is already in place, and just needs to be licensed and configured.

    And yes, posture validation systems - as with any security related system - can be bypassed. Which is why the technical controls would/will be backed with administrative controls (Make it a felony to bypass "any technical control intended to regulate access to a public utility) and aggressively prosecute anyone caught attempting to do so. Oh. And the CFAA still applies.

    It might take a decade or so to accomplish, but it's certainly doable. And frankly, you don't even need 100% coverage. just get the percentage of covered devices high enough to where it's possible to evaluate the outliers and you're "close enough"

  • Apr 23rd, 2015 @ 9:28am

    Re: Re: Re: Re: Consent is the ultimate Fourth Amendment waiver

    "Actually, I don't think it would.

    Duress is an established common law defense in contract law that would cause the form (contract) to be voided which would make it a search without consent and therefore unconstitutional."

    And all you need to do to demonstrate it is to be sufficiently wealthy to pay the lawyers fees, and sufficiently patient to wait for months or years while it plays out in court.

    Of course, most people in this type of situation aren't sufficiently wealthy to make that happen....

  • Apr 20th, 2015 @ 2:53pm

    Re: Re:

    Actually, I think it's a little more nuanced than that:

    It's (apparently) ok to call someone scum. It only turns defamatory when you preface it with an absolute, like "total scum", or "complete scum", thereby omitting the possibility that the defamed individual might be a quasi, hybrid, or otherwise partial scum. A possible example might be an incompetent scum.

    By this logic, it's not defamatory because he only stated that Greenfield is a member of an illegal gang, not a "complete" or "total" member of an illegal gang....

  • Apr 16th, 2015 @ 12:56pm

    Re:

    It's the US: You're welcome to license non-free speech, assuming you can afford the royalties.

  • Apr 13th, 2015 @ 2:27pm

    Re: Re: Re: Re: Blame the school administrators

    I'm inferring AD from the contents of the article.

  • Apr 13th, 2015 @ 10:26am

    Re: Re: Re: Re: Blame the school administrators

    Then that's on the teacher, and punishable as per their employment agreement. You know, the one where they agree to follow district policy, and then make a conscious decision not to?

    It would - at the very least - partially insulate the school district from liability in this case. Which doesn't seem like a lot until your lazy teacher brings the federal government down on the school and the district.

  • Apr 13th, 2015 @ 9:48am

    Re:

    "no one was hurt and nothing was broken, stolen or damaged"
    Not entirely true - tremendous damage has been done to the reputation of the School District and the local police department.

  • Apr 13th, 2015 @ 9:27am

    Re: Re: Blame the school administrators

    Forget 2-factor:

    In AD Group Policy Management:
    Computer configuration -> Policies -> Windows Settings -> Security Settings -> Account Policies/Password Policy -> Password must meet complexity requirements.

    Turn the knob from Disabled back to Enabled (which is the default, anyway) and hit apply. And now Windows won't accept a password as simple as a person's last name.

    Where should I send the consulting bill?

  • Apr 13th, 2015 @ 9:16am

    Re: As long as they're handing out idiotic punishments for non-crimes

    Or the IT administrators for configuring the system to allow such a password to be used?

  • Apr 13th, 2015 @ 9:14am

    Re: While you are at it

    One acronym: FERPA. Because it sounds like the school district is in dire need of a Department of Education beat down.

  • Apr 13th, 2015 @ 9:05am

    Re:

    If we're going to wield the "What part of illegal don't you understand" hammer, then here's a random thought:

    The school district needs to be investigated for probable FERPA violations by the DoE Family Policy Compliance Office. Because based on what's in the article, they clearly have problems controlling access to the computer systems containing student records.

    Oh, and the head of their IT department needs to be fired for gross negligence - for allowing the system to be configured to use such a weak password in the first place. Because in Active Directory, at least, you have to specifically enable use of such crappy passwords.

  • Apr 8th, 2015 @ 8:09am

    Re: Re: Re:

    Since when does "It's a good idea" seem to be relevant to politicians.

    that's fine though. Use webcams to perform age verification, and you'll find that the # 1 image search on google will quickly become "UK Politician" or "Member of US Senate"

  • Apr 7th, 2015 @ 12:49pm

    Re: How definite can you be?

    You can safely assume that the larger the sample set, the higher the confidence level.

    It's conceivable that, given a sufficiently large sample set, these deduced conclusions will at some point have a similar degree of accuracy to direct testing.

  • Apr 7th, 2015 @ 12:46pm

    Re:

    This is, ethically speaking, a highly complex subject. And anyone with a black and white answer in either direction should have their motivations heavily scrutinized.

    Imagine, for a moment, that a highly reliable test (say, 95%) was available for a, incurable condition - say, ALS.

    Would you want to know, with a high degree of certainty that you would get it?

    Tweak that: Now, instead of ALS, it's melanoma.

    Tweak that: Now, it's a condition that can only be passed to a child if both parents having a particular recessive gene. And one of your parents doesn't have it.

    Tweak that: Now, one of your parents - whom you love dearly - isn't your actual parent, and you live in a culture where adultery is punishable by death?

    Does your answer change, based on the scenario?

    At a small scale, the implications are enormous. At a larger scale, the implications to society could be staggering.

    Some people would absolutely want to know. Others absolutely wouldn't. Some might want their primary care physician to be informed, but wouldn't want to know themselves. The reactions would run the full gambit of possible answers.

    I think from both practical and ethical perspectives, all or nothing isn't going to be a viable option here. Some sort of opt-in/opt-out system should be set up.

  • Mar 27th, 2015 @ 1:09pm

    Re: Re: Is too okay

    Goofy systems like the Electoral College aside, I believe that in the general case politicians get elected because a simple majority (50% + 1) of eligible voters who actually vote want them elected.

    The will of the non-voter is entirely irrelevant, as is the cause of their non-voting status. Additionally, from a practical perspective, a non-voting constituent isn't a constituent. Voting constituents on the losing side of the election are also irrelevant to politicians.

    with the low voter turnouts we've seen the last decade plus, it makes it easy for politicians to know who to try to please - and it only seems to be - on average - 10-15% of the registered voters in any given district.

  • Mar 27th, 2015 @ 12:37pm

    Re: Is too okay

    This.

    He's not stupid. It's unlikely that he's even actually that dense when it comes to cryptography.

    He's playing up fear, ignorance, and respect for authority, in order to appeal to the fearful, ignorant, authority-respecting 50%+1 of voters who will re-elect him.

More comments from sigalrm >>