Eldakka’s Techdirt Profile


About Eldakka

Eldakka’s Comments comment rss

  • Oct 1st, 2015 @ 1:07am

    Re: Re: Re: Re: Re: Re: Re:

    you apply the crack immediately after installing the game, not a month later when the IPS goes down...

  • Sep 25th, 2015 @ 4:05am

    Re: Re: Re:

    why? if they set up an SSL link first (i.e. SMTPS or IMAPS) you don't need STARTTLS.

    STARTTLS is a fallback, something you use when you don't support proper link encryption. If you support SMTPS or IMAPS (which is equivalent to HTTPS), you don't need STARTTLS.

    STARTTLS is at the bottom of the food chain for encryption of email connections. I very much doubt we are talking about them not using encryption, they just don't use STARTTLS. STARTTLS is what you use when you (as an admin) coulnd't be FireTrucked to set up SMTPS/IMAPS. STARTTLS has more vulnerabilities than SMTPS/IMAPS:

    Because the initial handshake takes place in plain text using opportunistic encryption, an actor in control of the network can strip the STARTTLS from the network, silently forcing a user's emails to be sent in plain text in a STRIPTLS attack. In September 2014, major email providers in Thailand were subject to such large scale attacks. In October 2014 Cricket Wireless, then a subsidiary of VPN provider Golden Frog was found to be doing this using Cisco devices on their network in an attempt to inspect emails and block spam

  • Sep 24th, 2015 @ 12:45am


    oops hit post instead of preview...

    If you are already encrypted using TLS/SSL before you perform application level connection between the client software and the mail server software i.e. at the protocal or transport layer, VPN or already SSL'ed, they you don't need STARTTLS.

    And that's what having a PKI infrastructure usually means. Users usually have their own user certificate, the server has a server certificate, and encryption is performed by the PKI system in place instead of relying on the mail server and mail client to support STARTTLS. Basically, think of it as using a propriety encryption layer instead of using the open standard STARTTLS which is only necessary if you don't have your own encryption layer on top already.

    Take where I work for example. We have multiple offices around the country and the world. We don't use STARTTLS between our internal email clients and our internal mail server because we use a thick client on our desktop that has encryption built-in (outside STARTTLS) for the mail server from the same vendor. Sure, our 'thick clients' do support STARTTLS, but it only uses that if I decide to point my client at a 3rd-part, non-vendor supplied mail server.

    And our mail servers when connecting to the mail servers of our offices and partners also doesn't use STARTTLS or SSL/TLS for encryption. Nor does out client encrypt our emails. Why? Because out network infrastructure has VPN routers with pre-shared-keys in it, as does every one of our offices and our partners. When we communicate bewteen any of these, the core routers do NOT forward the connections to the border routers, they forward the connection to the VPN routers that establish a VPN - an encrypted pipe - with our partner/office, and send the data down that already encrypted pipe, therefore no STARTTLS, no SSL, no TLS, no email encryption is necessary as the LINK is encrypted between the locations and if encryption fails, the route to the office/partner fails until the VPN is re-established.

    Therefore the users of the mail client or browser connecting to a partner do not have to take any steps, don't even have to know about, encryption. The software doesn't have to implement, support or even know about encryption. It's all handled transparently for them at the network infrastructure layer.

    Of course, this is a 2-edged sword. Since the users are "dumb users" who have no idea, if they have to send sensitive information (which is against policy, and could be a sackable offense) to someone who isn't in a branch office or partner organisation, they have no idea about encryption/message security. Hell, there have been cases where someone has sent sensitive email to a partner, but also put a non-partner (I think it also cc'ed to a home account of someone who was on already getting the email via their work email) on the cc list, the emails to the partners all went down the encrypted pipes, but the email to fred@someisp.com went through normal, unencrypted public internet. The user to this day still doesn't understand what they did wrong, because all they did was add someone to the cc list.

    But this is the type of system these agencies ARE using. They don't need to 'do' STARTTLS because they don't need the application software to set up their encryption because they are already encrypted before the application software is even aware that someone wants to connect to it. Probably with a much higher level of encryption in their encryption layer than that used by STARTTLS. Hell, STARTTLS is vulnerable to man-in-the-middle (MIM/MITM) attacks since it has to negotiate key exchanges and so on. With network layer security this is not possible if using pre-shared-keys. This also has the added side-benefit of simplifying software that doesn't have to have encryption built into the software (the network takes care of that) and when encryption changes, the entire network's encryption can be updated by patching some vendor-specific hardware devices and a single client piece of software on the PC that enables connection to the encrypted network, rather than the dozens, hundreds of individual different pieces of software that have to be patched because they have encryption builtin...

  • Sep 24th, 2015 @ 12:14am

    (untitled comment)

    OK, let's insert some sanity here.

    Just because they don't use STARTTLS doesn't mean they are not encrypted.

    STARTTLS is used when the client initially establishes an insecure, un-encrypted connection to the mail server. The mail server then says "hey, let's encrypt this session with TLS, here's my public key" and whatnot, they then negotiate .

    HOWEVER, if are already you do the initial connection using TLS at the network/protocol layer (TLS is more commonly called SSL - as SSL was revised and enhanced and newer versions release, it's name changed from SSL to TLS. Therefore strictly speaking SSL refers to SSL 1.0 to 3.0. SSL 3+ was renamed TLS, and TLS1.0 is basically SSL 4.0, etc)

  • Sep 23rd, 2015 @ 11:42pm

    Re: Walking is not a big CO2 producer.

    I ride a motorbike ~16km to work in about 15 minutes, and likewise another ~16km back home again.

    If I was fit enough, and could actually run at that speed (64km/h), how much CO2 would I emit in running ~32km in 30 minutes? How would that compare to the amount of CO2 my motorbike releases?

    I am genuinely curious.

  • Sep 23rd, 2015 @ 11:19pm

    Re: Re: Re: fraudulent info

    shifts costs from your customers onto the entire society?
    How do you reach this conclusion?

  • Sep 23rd, 2015 @ 11:18pm

    Re: Re: Re: Re: fraudulent info

    If the intent of a law differs significantly from the letter of the law, and/or how the law is applied in practice, then that's a sign of either a poorly written law or someone basically making up laws as they go along via 'creative interpretation'.
    Exactly like 75% of the other laws on the books? So business as usual.
    Legal loopholes do not result in multi-billion dollar fines
    Neither has this. No jury has rendered a verdict, no judge has ruled. As far as I can tell no charges or case has been filed with any court yet. All we have is legal d**ck waving by the EPA making press releases. Sure they might be right, but at least wait until we have a court filing detailing the crimes/breeches and the requested penalties first.

  • Sep 21st, 2015 @ 12:46am

    Re: Re:

    The suit was over non-functional design aspects.

    The suit wasn't over the fact the other house HAD windows, or HAD a roof. It was over the non-functional, aesthetic aspects of the house.

    Say I built a house with a roof that had 37 minarets of varying heights and thicknesses. Randomly scattered over the roof. Ranging from 5cm to 50cm across, and 20cm to 2 meters high. Varying cross-sectional shapes - some round, some oblong, some square, some penta-hexa-octa-deca-mora-sided. Built with different materials, some red-brick, some white-brick, different types of timber, some pored cement. The minarets served no purpose, they aren't for hanging, no space inside them for storage, they aren't meant for bird coops or perches. They are there because I had too much acid^H^H^H^H imagination when I pressed the send button on my "Confirm Final Specifications" email to my builder - just before I headed off on a 6-month around-the-world pub-crawl^H^H^H^H^H^H^H^H^H bender^H^H^H^H^H^H no computers/phones allowed eco-holiday expecting to find a completed home when I got back.

    Now if someone else built a house with an identical set of 37 minarets, same positions, same sizes, same materials, EXACTLY the same except the roof was 2 streets over. I would call shenanigans on them.

    But it is a similar principle as to what is happening here. It's that the second house's windows had the EXACT SAME non-common non-functional required shape. The EXACT SAME non-functionally required dimensions. The same number of windows in the same positions. The exact same size/shape roof.

    If the second house had of JUST had the same roof, or just had the same windows, they'd probably have gotten away with it, the judge would have probably laughed the plaintiff out of court.

    But once you combine ALL non-functional aesthetic factors, it's a straight copy of (for want of a better phrase) artistic non-functional elements.

    Now, whether they SHOULD be able to copyright that design, and be able to enforce that copyright, now THAT is a different question.

    PS could we get the < del > tag added?

  • Sep 21st, 2015 @ 12:14am

    Re: Something else seems off here.

    I think that would depend on how the copies were made.

    1) Were they purchased from the copyright holder?
    2) Did the builder ask for a copy from the copyright holder who then complied?
    3) Did the copyright holder put any restrictions on the use of the copy when it was obtained ? e.g. for informational purposes and not to be used as plans for actual construction?
    4) Did the builder just obtain a copy without the consent of the copyright holder?
    5) Where the plans provided for 1 purpose - building of the original house - and then re-purposed, without the copyright holders consent, in the construction of a second house?

    From the description I have read of this so far, it seems that the builder of the original house and the 'copycat' house was the same builder. Therefore I suggest point 5 above was the likely scenario, therefore the only legal use of the legally made copy of the plans was for the construction of the original house. Once that purpose had been accomplished, the builder was no-longer authorised to use those plans for other construction purposes. Therefore when the builder reused the plans, at that point the copy became an illegal copy.

    It's sorta like buying a piece of software - say MS Office. I purchase that copy, and have the rights to use it on a single computer. However, the retailer I bought that copy from (well, really, the license key) can't make a copy of the software and then sell that copy on to another customer.

  • Feb 24th, 2015 @ 9:22pm


    "preponderance of the evidence," something that sounds like a lot but in reality is far lower than establishing guilt "beyond a reasonable doubt." If the latter edges towards a theoretical 75% assurance of guilt, the percentage for asset forfeiture approaches a coin flip: 51%.
    IANAL, but I'd suggest the 75% assurance level you refer to would be more likely covered by the Clear and Convincing evidence standard, with beyond a reasonable doubt at more like the 90% (personally I'd have to be 95% convinced) level.

  • Feb 24th, 2015 @ 8:48pm


    We're having "this kind of dialogue"---such as it is---only because the government and intelligence community...
    ...have been caught red-handed already doing this, and wish to justify and continue their endeavours.

  • Feb 19th, 2015 @ 7:28pm

    Re: Re:

    How about the 14 year pwn of HDDs?

    To what are you referring? Sounds interesting...

  • Dec 20th, 2014 @ 2:36pm

    Re: Contact info

    Rather than directly contacting and harassing her, while not file an Notice of Opposition with the USPTO at http://estta.uspto.gov/filing-type.jsp (select "Notice of Opposition" from the drop down near the bottom of the page under the "File a new proceeding" heading).

  • Dec 7th, 2014 @ 6:45pm

    Re: Update

    Not at all, Trademarks, like patents, are country specific. The US Kmart and Target do not have trademarks on those terms in Australia and have no rights over them. The Wesfarmers (NOT West Farmers) group owns the trademarks on those terms in Australia, and vice-versa, Wesfarmers has no ownership and no rights over those marks in the US.

    No trademark lawyer needed.

  • Dec 7th, 2014 @ 5:01pm


    Time to dig out my old palmpilot that doesn't have any wireless connectivity (except an infra-red port, but at least that's line of site and I can cover it), and install a password manager on there and use it only for retrieving my passwords, no wireless connections, never plug it in to another device, just use the monochrome LED screen for input/output.

    Or maybe get out an old smartphone and physically disconnect the antennas.

  • Dec 4th, 2014 @ 8:38pm

    Re: Re: Pry

    Because it requires 2 hands to do that?

  • Dec 2nd, 2014 @ 6:24pm


    The position of cab services as operating potentially lethal equipment
    You mean like everyone who drives a car? Are taxi's more lethal than other motor vehicles? Why is it the for 99+% of the population a special document known as a "Drivers License" is sufficient to handle said lethal equipment, but a Taxi driver requires some other form of documentation?

    and frequently dealing with isolated and vulnerable customers
    Like door-to-door salesmen? Pizza delivery drivers? Pool cleaners? Gardeners? Do they all need some sort of special licensing because they frequently deal with isolated and vulnerable customers?

  • Nov 27th, 2014 @ 2:09am

    Re: Re: Re: What the heck were they thinking?

    From the article, these do NOT sound like "legally-mandated backup/archive of an email corpus in order to comply with future discovery requests,".

    As the article says, these are from DR tapes, which likely means they are full server backup tapes.

    DR backups are not designed to go "lets recover email x from the email database stored on server Z".

    DR backups are designed for restoring entire servers to an operational state after some sort of disaster - ranging from someone taking a hammer to a server to a nuke destroying the data center.

    At best they could restore the entire email database, then search through the restored database for emails (either by querying it directly or importing it back into an email server to do 'normal' email searches).

    Not to mention they may have to actually restore multiple instances of the database, because if they are DR backups they are probably monthly full backups, so to retrieve emails that have been deleted at various times, they may have to restore several backup versions to pull out emails that may have been deleted prior to subsequent backups.

    All in all, it sounds like they have a bodgy system designed to NOT be able to easily audit/version emails, with no email-specific archiving mechanism (hey, they even said the official way to 'archive' business-relevant emails is to print them out and literally file them on a paper file). Therefore it is a SIDE-EFFECT of DR backups that they are able to retrieve old emails.

    Hell, if I was running the backup system and the intent (even if unofficially) was to not keep a history of business decisions, I'd only keep 2 'monthly' backups, overwriting the 3-month old backup with the current month (in addition to the daily incremental backups which would only be kept until the next full backup is verified successful). That way you COULDN'T go back more than 3 months, which is more than sufficient for DR.

    Of course, that's of you are using a grandfather/father/son backup schedule, I always preferred "incremental forever" systems myself.

  • Nov 13th, 2014 @ 10:56pm

    (untitled comment)

    Unfortunately, for a university of its size and wealth, these fines clearly aren't much of a deterrent.

    That's where the 2-years in prison comes in. If $1000 isn't much of a deterrant, I'm sure throwing people in prison, even if it's only for a month or 2, might start changing minds.

  • Nov 13th, 2014 @ 8:49pm

    is there a transcript?

    I prefer reading to listening/watching, it's much more efficient, not to mention easier to do while in a public place (or, ahem, work).

More comments from Eldakka >>