TKnarr’s Techdirt Profile

tknarr

About TKnarr




TKnarr’s Comments comment rss

  • Apr 24th, 2017 @ 3:21pm

    Re:

    Have to agree. Bricking the devices (or close enough that that kind of consumer won't be able to unbrick it) will give those devices, and if it happens commonly enough that brand, a rep for being unreliable and consumers will start to avoid them. There's a point where we have to say "Subtle hasn't worked, let's try not-subtle." and I'm pretty sure we're well past it. It's not like it's not possible to design consumer hardware/firmware that's secure, it's just that the entity responsible for it doesn't bear the cost of not doing it.

  • Apr 21st, 2017 @ 2:02pm

    (untitled comment)

    Mr. Lau's right in that you generally start with just the IP address (because that's all that exists at the network level) and need to work from that which means going to the owner of the account that was using that address at that time to find out the actual person who was using the account's connection at the time. If cases are thrown out merely because an IP address is all the plaintiff has at the start, that's pretty much equivalent to prohibiting all complaints about on-line copyright infringement and that'd be wrong.

    Where the problem lies isn't with starting with just an IP address, it's with cases where the sheer number of alleged defendants makes it clear the plaintiffs don't intend to pursue actual cases. Cases should start with a (relatively) small number of addresses which have some relationship to each other (eg. their reverse-lookups or traceroutes result in names indicating they're all in the same geographic region and the court you're filing in has jurisdiction over that region), should be for something reasonable (eg. "All we can identify based on the IP address is the account holder and we need to question the account holder to identify the actual infringer.") and most importantly should state up-front the basis for believing infringement has occurred (ie. "We downloaded and viewed the file ourselves and it is in fact a full copy of our film." rather than "It's got a name that vaguely resembles the title of our film.").

  • Apr 20th, 2017 @ 3:37pm

    (untitled comment)

    One mitigation would be to treat it as an extension like any other that just happens to come pre-installed. The first thing you get when you bring up Chrome (or upgrade to a version that includes the blocker) is a tab showing the default state and requiring the user to select their preference or confirm that the defaults are OK.

    Of course, if I were Google I'd make it a 3-way thing: click button 1 to enable Google's blocker, click button 2 to be shown a list of other ad-blocking options and independent reviews of them, or click button 3 if you really truly want to see all ads. But then I'm a bofh.

  • Apr 20th, 2017 @ 11:34am

    Re: Re: Re: Re: So what's your solution?

    I don't think you understand the process. With these terms of service a person brings suit, the company moves for dismissal and referral to arbitration based on the TOS, the judge tosses the suit (out or over the wall to the arbitration panel) based solely on the TOS and never gets to the question of whether the complaint had any basis. And if they sue after arbitration, they have to shell out hundreds of thousands of dollars over a couple of years with no ability to recover any of it and the possibility of having to also cover the company's legal fees even if the person wins.

  • Apr 19th, 2017 @ 4:05pm

    (untitled comment)

    Hmm. Who does the R Street Institute represent (as in, who are they being paid by)? The arguments Ms. Hobson presents look like they're taking the proposed law and interpreting every clause in it in the most disadvantageous manner (even when that contradicts the black-letter words of the proposal). The result is arguments that amount to eg. "There isn't a full screen to display details like we'd have on a computer on a toaster, so it's impossible for a toaster to comply.", easily countered by "State clearly in the manual what information is collected and transmitted, then either state that it's continuously collected/transmitted while the toaster is powered on or add one single LED and say that that LED being lit means data collection/transmission is in progress.". The whole thing smacks of an attempt to argue that we shouldn't hold manufacturers to any legal standard and should leave it entirely up to them to voluntarily do the right thing.

    Well, if they would voluntarily do the right thing, we'd never have gotten to the point where a law like this is proposed.

  • Apr 19th, 2017 @ 3:24pm

    Re: Re: So what's your solution?

    That's already been thought of. That's why the "terms of service" for connected devices commonly include clauses preventing users from joining class-action suits and requiring them to first go through manufacturer-friendly arbitration before filing an individual lawsuit (and often making the consumer liable for the company's legal costs if the consumer fails to win the suit, where in the normal course of legal proceedings they wouldn't be). Lawsuits aren't a real threat when no individual consumer can show enough damages to cover the costs of suing and collective actions are prohibited.

  • Apr 19th, 2017 @ 3:19pm

    Re: Re:

    If that worked, we wouldn't be here. Or haven't you noticed the stream of reports of various breaches that name virtually every company currently producing connected products?

  • Apr 19th, 2017 @ 12:03pm

    Re: Re:

    It's not a security choice. A security choice would be to disable the fingerprint-recognition feature until the user had confirmed that they expected the sensor to have been changed (eg. during a repair). That would protect the integrity of the path between the sensor and the secure enclave. Everything else, including disabling the button for non-fingerprint-related functionality, has nothing to do with security and everything to do with locking out independent repairs. How does bringing up the PIN keypad, for instance, compromise security if it's done via a home key installed during a repair? Unless, of course, you're positing that some nefarious party has swiped the phone, swapped out both the home button _and_ the entire screen for hardware that'd somehow record and store fingerprints and PIN entries in hardware _not part of the phone_, and then returned the phone without the owner ever noticing it was missing for the length of time required to effect the work. And _then_ managing to swipe the phone a second time to offload the stored data from the hardware (it's not part of the phone, remember, and our nefarious actor doesn't have the fingerprint or PIN that'd permit him to install software on the phone (if he did, he wouldn't have to install hardware to get them)). I find that whole sequence highly unlikely, unless of course you've been targeted specifically by someone who wants access to your phone in particular and not any phone in general and who's also in physical proximity to you.

  • Apr 18th, 2017 @ 11:38am

    Re:

    If Fearless Girl isn't art then the ceiling of the Sistine Chapel isn't art nor is the Mona Lisa. Let 'em argue that one.

  • Apr 17th, 2017 @ 1:18pm

    (untitled comment)

    Seems there'd be multiple grounds to argue that there's no case:

    1. The handshake and knock aren't trade secrets. Trade secrets require some economic value to their secrecy, and there seems to be no economic value in knowing how to access a PSS meeting or identify a PSS member.

    2. The information wasn't known to be acquired by improper means. PSS itself couldn't identify the source as a member, and they haven't identified a member the source could have gotten the information from. They assert that it could only have come from one of their members, but it's on them to prove that and they haven't.

    3. The information wasn't secret. They don't appear to make any assertion that the handshake and knock are never ever used in public. If they're used in public, there's a myriad of ways to acquire them without doing anything improper, eg. observing someone you know is a PSS member using them to identify themselves to someone else.

  • Apr 10th, 2017 @ 10:26am

    (untitled comment)

    My response to Pai would be one of my standard ones: "If they're willing to promise that and intend to honor that promise, then having the terms of the promise written down as binding regulations shouldn't be any additional problem for them, right? After all, the regulations are just what they're going to do anyway, there shouldn't be any additional burden on them."

    It comes from a standard statement when negotiating contracts: "If you intend to do that anyway you won't mind putting it in writing, right?"

  • Apr 6th, 2017 @ 4:33pm

    (untitled comment)

    For the dissent's position, I'd ask:

    I have a safe in my house. It was there when I bought the house. I didn't install it, I don't know the combination and I have no idea what's in it other than it isn't anything to do with me. Does this mean the police can enter my house, have a locksmith open the safe and riffle through it's contents, all without any warrant?

    If the answer is no then the dissent's position is at best misguided and at odds with existing jurisprudence. Things don't have to have any intrinsic value to belong to me, they don't have to have been created by me to belong to me, and they certainly don't have to have been built and/or installed by me to belong to me. The black boxes were part of the car when I bought it, I paid for the whole car and I've got the title to the whole car, the title applies as much to the black boxes as to any other part of the car.

  • Apr 3rd, 2017 @ 11:44pm

    (untitled comment)

    I'd like a variant of two-factor: my fingerprint can unlock the phone alone while connected to my headset or PC via Bluetooth, otherwise it requires the PIN or password in addition to the fingerprint.

    To be nasty, let it ask for the PIN/password regardless of what fingerprint it scanned but too many failed PIN/password attempts with the wrong fingerprint presented would lock out all further attempts.

  • Mar 29th, 2017 @ 2:24pm

    Re: Re: Re:

    This wouldn't be to the prosecutors when they come to enforce an order. It'd be to the supporters of this bill and the prosecutors when they testify to needing it in Congress when it's debated. Lay the groundwork for taking child trafficking out of the debate entirely by making them show that it actually exists on these platforms. My estimation is that they won't be able to respond because they won't have anything to show.

  • Mar 29th, 2017 @ 11:40am

    Re:

    Start fighting it by asking the prosecutors one pointed question: "Which ads have resulted in successful prosecutions where the providers were in fact under-age? Be specific please, I don't want just numbers I want to see the actual ads and to hear you state the ages of the minors involved.". Then let them fumble but keep them on-point: actual ads, not their guesses. And when they try to wiggle out with a plea that they need this law because they can't find the actual criminals, reply with "Then how do you propose to prove that the site was hosting child-trafficking posts if you admit you don't know and can't prove that the posts were trafficking minors? This isn't the Wild West where we tolerate vigilantes, you know, we expect crimes to be proven in court before we punish people for them.".

  • Mar 28th, 2017 @ 1:40pm

    Re: Wonderful news!

    That's been clear from the start. There's a reason, after all, that the RIAA's first target wasn't the out-and-out pirates, it was the one site (MyMP3.com) that was taking any sort of steps to insure people could only download songs they'd already paid for. Pirates the RIAA could deal with, or at least factor into the pricing. A legitimate (or perceived as such) distribution channel outside their control? That was a true threat.

  • Mar 28th, 2017 @ 12:14pm

    (untitled comment)

    The labels used to handle the publicity and advertising. They aren't going to adapt, but I see the salespeople and marketing types going the same route as the artists: ones that enjoy the job will get together with the artists and take over the role the labels aren't filling. Instead of labels "hiring" artists to supply them with content to market, we'll have artists hiring marketing people to help bring attention to their work. It'll take a while, but I think the change is going to be inevitable.

  • Mar 20th, 2017 @ 6:22pm

    Re: Re: Re: Re: Re: Re: Re:

    > You have a broken pane of glass. Nearby there is a baseball.

    And you just ran into what I said: the rule says don't stop at the first correlation. While broken windows may be correlated with baseballs, they're also correlated with a lot of other things and there goes the "only one variable" part. And I'd argue there's a high correlation, because the vast majority of baseballs aren't accompanied by broken windows and the vast majority of broken windows don't occur around baseballs.

    Suppose you have the same broken window and baseball. When you investigate, you find that 99% of _all_ broken windows had a baseball nearby. What are the chances that that broken window wasn't caused by the baseball?

  • Mar 20th, 2017 @ 11:32am

    Re: Re: Re: Re: Re:

    However, causation requires correlation so if you're looking for a cause you need to start looking where you find a correlation. And if you find a high correlation with only one variable, odds are really good that the cause is tied to that variable.

    The "correlation isn't causation" rule doesn't instruct you to ignore correlation completely, it instructs you to not stop looking just because you found one correlation.

  • Mar 20th, 2017 @ 10:20am

    (untitled comment)

    His generation's the ones running the companies that started showing no loyalty to employees. If millennials show little or no loyalty to their employers, they're just applying the lessons their employers taught them about loyalty.

More comments from TKnarr >>