There is no dispute that they and law enforcement agencies should have the necessary powers to detect and stop attacks before they happen.
Wow, and here I thought it was Law enforcements job to enforce the law. Arresting people for actually breaking the law. Dissuading people from breaking the law by being a visible, and practical deterrence to breaking the law by arresting people when they do break the law. Seems these people think it is law enforcements job to arrest people for thinking about breaking the law. Thought-crime police a reality.
I would suggest it's the military's job to stop these types of attacks before they occur. It is not the military's job to enforce the law, it's their job to 'defend/protect the country'.
"Incentivizing vetting of passengers?" Isn't that pretty much the only task the TSA performs? (I mean, when not running its Instagram account or helping the DEA walk off with a traveler's money…) After 15 years on the job, you'd think the TSA's vetting incentive program would be humming away like a well-funded machine. Apparently not, though.
I think you are drawing the wrong conclusion from that statement. To me, that jargon/buzzword statement is actually a statement regarding MORALE. It's implying morale is low and staff don't care about what/why they are doing the work. They are drones just ticking the boxes on the paperwork.
Incentive: noun 1. something that incites or tends to incite to action or greater effort, as a reward offered for increased productivity. adjective 2. inciting, as to action; stimulating; provocative.
They're saying that they've gotta increase the morale of their staff so they CARE about the vetting, so that they do more than blindly, unthinkingly follow the procedures. Sp that they actively look for suspicious people rather than just being a drone ticking the boxes.
why? if they set up an SSL link first (i.e. SMTPS or IMAPS) you don't need STARTTLS.
STARTTLS is a fallback, something you use when you don't support proper link encryption. If you support SMTPS or IMAPS (which is equivalent to HTTPS), you don't need STARTTLS.
STARTTLS is at the bottom of the food chain for encryption of email connections. I very much doubt we are talking about them not using encryption, they just don't use STARTTLS. STARTTLS is what you use when you (as an admin) coulnd't be FireTrucked to set up SMTPS/IMAPS. STARTTLS has more vulnerabilities than SMTPS/IMAPS:
Because the initial handshake takes place in plain text using opportunistic encryption, an actor in control of the network can strip the STARTTLS from the network, silently forcing a user's emails to be sent in plain text in a STRIPTLS attack. In September 2014, major email providers in Thailand were subject to such large scale attacks. In October 2014 Cricket Wireless, then a subsidiary of VPN provider Golden Frog was found to be doing this using Cisco devices on their network in an attempt to inspect emails and block spam
If you are already encrypted using TLS/SSL before you perform application level connection between the client software and the mail server software i.e. at the protocal or transport layer, VPN or already SSL'ed, they you don't need STARTTLS.
And that's what having a PKI infrastructure usually means. Users usually have their own user certificate, the server has a server certificate, and encryption is performed by the PKI system in place instead of relying on the mail server and mail client to support STARTTLS. Basically, think of it as using a propriety encryption layer instead of using the open standard STARTTLS which is only necessary if you don't have your own encryption layer on top already.
Take where I work for example. We have multiple offices around the country and the world. We don't use STARTTLS between our internal email clients and our internal mail server because we use a thick client on our desktop that has encryption built-in (outside STARTTLS) for the mail server from the same vendor. Sure, our 'thick clients' do support STARTTLS, but it only uses that if I decide to point my client at a 3rd-part, non-vendor supplied mail server.
And our mail servers when connecting to the mail servers of our offices and partners also doesn't use STARTTLS or SSL/TLS for encryption. Nor does out client encrypt our emails. Why? Because out network infrastructure has VPN routers with pre-shared-keys in it, as does every one of our offices and our partners. When we communicate bewteen any of these, the core routers do NOT forward the connections to the border routers, they forward the connection to the VPN routers that establish a VPN - an encrypted pipe - with our partner/office, and send the data down that already encrypted pipe, therefore no STARTTLS, no SSL, no TLS, no email encryption is necessary as the LINK is encrypted between the locations and if encryption fails, the route to the office/partner fails until the VPN is re-established.
Therefore the users of the mail client or browser connecting to a partner do not have to take any steps, don't even have to know about, encryption. The software doesn't have to implement, support or even know about encryption. It's all handled transparently for them at the network infrastructure layer.
Of course, this is a 2-edged sword. Since the users are "dumb users" who have no idea, if they have to send sensitive information (which is against policy, and could be a sackable offense) to someone who isn't in a branch office or partner organisation, they have no idea about encryption/message security. Hell, there have been cases where someone has sent sensitive email to a partner, but also put a non-partner (I think it also cc'ed to a home account of someone who was on already getting the email via their work email) on the cc list, the emails to the partners all went down the encrypted pipes, but the email to email@example.com went through normal, unencrypted public internet. The user to this day still doesn't understand what they did wrong, because all they did was add someone to the cc list.
But this is the type of system these agencies ARE using. They don't need to 'do' STARTTLS because they don't need the application software to set up their encryption because they are already encrypted before the application software is even aware that someone wants to connect to it. Probably with a much higher level of encryption in their encryption layer than that used by STARTTLS. Hell, STARTTLS is vulnerable to man-in-the-middle (MIM/MITM) attacks since it has to negotiate key exchanges and so on. With network layer security this is not possible if using pre-shared-keys. This also has the added side-benefit of simplifying software that doesn't have to have encryption built into the software (the network takes care of that) and when encryption changes, the entire network's encryption can be updated by patching some vendor-specific hardware devices and a single client piece of software on the PC that enables connection to the encrypted network, rather than the dozens, hundreds of individual different pieces of software that have to be patched because they have encryption builtin...
Just because they don't use STARTTLS doesn't mean they are not encrypted.
STARTTLS is used when the client initially establishes an insecure, un-encrypted connection to the mail server. The mail server then says "hey, let's encrypt this session with TLS, here's my public key" and whatnot, they then negotiate .
HOWEVER, if are already you do the initial connection using TLS at the network/protocol layer (TLS is more commonly called SSL - as SSL was revised and enhanced and newer versions release, it's name changed from SSL to TLS. Therefore strictly speaking SSL refers to SSL 1.0 to 3.0. SSL 3+ was renamed TLS, and TLS1.0 is basically SSL 4.0, etc)
If the intent of a law differs significantly from the letter of the law, and/or how the law is applied in practice, then that's a sign of either a poorly written law or someone basically making up laws as they go along via 'creative interpretation'.
Exactly like 75% of the other laws on the books? So business as usual.
Legal loopholes do not result in multi-billion dollar fines
Neither has this. No jury has rendered a verdict, no judge has ruled. As far as I can tell no charges or case has been filed with any court yet. All we have is legal d**ck waving by the EPA making press releases. Sure they might be right, but at least wait until we have a court filing detailing the crimes/breeches and the requested penalties first.
The suit wasn't over the fact the other house HAD windows, or HAD a roof. It was over the non-functional, aesthetic aspects of the house.
Say I built a house with a roof that had 37 minarets of varying heights and thicknesses. Randomly scattered over the roof. Ranging from 5cm to 50cm across, and 20cm to 2 meters high. Varying cross-sectional shapes - some round, some oblong, some square, some penta-hexa-octa-deca-mora-sided. Built with different materials, some red-brick, some white-brick, different types of timber, some pored cement. The minarets served no purpose, they aren't for hanging, no space inside them for storage, they aren't meant for bird coops or perches. They are there because I had too much acid^H^H^H^H imagination when I pressed the send button on my "Confirm Final Specifications" email to my builder - just before I headed off on a 6-month around-the-world pub-crawl^H^H^H^H^H^H^H^H^H bender^H^H^H^H^H^H no computers/phones allowed eco-holiday expecting to find a completed home when I got back.
Now if someone else built a house with an identical set of 37 minarets, same positions, same sizes, same materials, EXACTLY the same except the roof was 2 streets over. I would call shenanigans on them.
But it is a similar principle as to what is happening here. It's that the second house's windows had the EXACT SAME non-common non-functional required shape. The EXACT SAME non-functionally required dimensions. The same number of windows in the same positions. The exact same size/shape roof.
If the second house had of JUST had the same roof, or just had the same windows, they'd probably have gotten away with it, the judge would have probably laughed the plaintiff out of court.
But once you combine ALL non-functional aesthetic factors, it's a straight copy of (for want of a better phrase) artistic non-functional elements.
Now, whether they SHOULD be able to copyright that design, and be able to enforce that copyright, now THAT is a different question.
I think that would depend on how the copies were made.
1) Were they purchased from the copyright holder? 2) Did the builder ask for a copy from the copyright holder who then complied? 3) Did the copyright holder put any restrictions on the use of the copy when it was obtained ? e.g. for informational purposes and not to be used as plans for actual construction? 4) Did the builder just obtain a copy without the consent of the copyright holder? 5) Where the plans provided for 1 purpose - building of the original house - and then re-purposed, without the copyright holders consent, in the construction of a second house?
From the description I have read of this so far, it seems that the builder of the original house and the 'copycat' house was the same builder. Therefore I suggest point 5 above was the likely scenario, therefore the only legal use of the legally made copy of the plans was for the construction of the original house. Once that purpose had been accomplished, the builder was no-longer authorised to use those plans for other construction purposes. Therefore when the builder reused the plans, at that point the copy became an illegal copy.
It's sorta like buying a piece of software - say MS Office. I purchase that copy, and have the rights to use it on a single computer. However, the retailer I bought that copy from (well, really, the license key) can't make a copy of the software and then sell that copy on to another customer.
"preponderance of the evidence," something that sounds like a lot but in reality is far lower than establishing guilt "beyond a reasonable doubt." If the latter edges towards a theoretical 75% assurance of guilt, the percentage for asset forfeiture approaches a coin flip: 51%.
IANAL, but I'd suggest the 75% assurance level you refer to would be more likely covered by the Clear and Convincing evidence standard, with beyond a reasonable doubt at more like the 90% (personally I'd have to be 95% convinced) level.
Rather than directly contacting and harassing her, while not file an Notice of Opposition with the USPTO at http://estta.uspto.gov/filing-type.jsp (select "Notice of Opposition" from the drop down near the bottom of the page under the "File a new proceeding" heading).