Mason Wheeler’s Techdirt Profile

masonwheeler

About Mason Wheeler




Mason Wheeler’s Comments comment rss

  • May 5th, 2016 @ 3:34pm

    (untitled comment)

    It is the sense of Congress that nobody is above the law...

  • May 5th, 2016 @ 12:43pm

    (untitled comment)

    Under the Protect America Act, then, the government has an unqualified right to have the Court review a classified submission ex parte and in camera which, of course, includes the unqualified right to keep that submission from being disclosed to any party in an adversarial proceeding before this Court.

    Seems to me, then, that the judge only has one course of action that's even remotely reasonable: rule the Protect America Act unconstitutional and find the NSA in contempt of court.

  • May 5th, 2016 @ 9:48am

    (untitled comment)

    Bkhchadzhyan? How is that pronounced? What in the world is your mouth supposed to do with B-K-H-CH with no vowels between them?

  • May 5th, 2016 @ 8:41am

    Re: Re: Re: Re:

    This efficient system increases the potential for a security breach to impact large numbers of vehicles by orders of magnitude.

    Good point! That would explain why Tesla's cars are getting remote-hacked left and right... oh wait, no, they aren't. In fact, security researchers trying to hack Teslas are saying the same thing about them that physical crash testers are saying: they're the safest cars on the road. This is probably because Tesla is not "a car company" as commonly understood, but rather a high-tech company whose product is cars. It's run by tech-savvy people who understand computers and computer security, and that makes a huge difference.

    I'm not privy to any details, but I can only assume that people aren't spreading malware to Tesla systems over their remote update protocol for the same reason we haven't seen malware pushed en masse to billions of computers worldwide over Windows Update: because the updates are cryptographically signed to prevent such attacks.

  • May 4th, 2016 @ 12:04pm

    Re: Re: Re: Re: Re: Not a reasonable option

    ...which is why I specifically said that exemptions for legitimate use are necessary to make this reasonable. It was literally the first thing I wrote in my original post. Why are you acting as if I was supporting the entire proposed law exactly as written, when I specifically said the opposite?

  • May 4th, 2016 @ 10:08am

    Re: Re: Not a reasonable option

    Not what I was saying at all. Please don't twist my words.

    More appropriate:

    "What are you in for?"

    "I hacked someone else's car."

  • May 4th, 2016 @ 10:07am

    Re: Re:

    There's nothing that malware can do that isn't comparable to some existing tampering with a car.

    I beg to differ. Read up on the Jeep hack: the hackers were able to take control of the vehicle remotely, with the driver inside. That's something new that you can't get without a computer. What if the next malware is being run by someone less benevolent than a couple of security researchers, and they decide to play demolition derby on a highway--or in a residential neighborhood?

  • May 4th, 2016 @ 10:04am

    Re: Re:

    - Legally mandate that any programmable control system must be easily and cheaply replace.

    There are two meanings of the word "cheap." One is "low price", and the other is "low quality." They're attached to the same word due to their high tendency to be correlated. This "option" would effectively require that one of the most critical components of a car be selected based on low price rather than high quality.
    - Legally mandate that any programmable control system must be wholly reprogrammable, so that any installed malware is wiped

    Which is great in theory, right up until you miss something. Problem is, the fact that malware got in in the first place is prima facie evidence that they missed something, which tends to diminish confidence in the idea that they wouldn't have missed anything else.
    - Legally mandate that programmable control systems be isolated from remote communications, so that malware can only be installed by someone physically adjacent to the target vehicle.

    Congratulations, you just shut down Tesla's incredibly effective and efficient system of fixing car software bugs by deploying remote updates!

    Got any more brilliant ideas?

  • May 4th, 2016 @ 9:58am

    Re: Re:

    Your hack intended to stop people's cars from starting unintentionally also cuts the brakes at 60 mph?
    Here's your unintentional manslaughter.

    I wasn't talking about unintentional effects; I was talking about hidden effects. Unless the code can be effectively analyzed, it could do anything. (Read up on the phrase "arbitrary code execution" sometime. That's what it means.)

    This is not theoretical; real-world malware has been doing equivalent things in computers for decades, and sometimes it's not easy to figure out what they're intended to do. To give a real-world example, the original computer worm, created by Robert Tappan Morris, brought the Internet of 1989 to its knees, crashing a huge amount of servers by making so many copies in memory that it bogged them down until they were unable to do anything.

    Morris claimed, after he was caught, that all he wanted to do was create something that would "count the number of machines on the Internet," and a bug causes it to multiply out of control. It wasn't until much later that analysis of the source code showed a very different picture: he was a cybercriminal mastermind, years ahead of his time. There was code in the worm to establish what we call "a botnet" today, and it was only due to a fortuitous glitch that it never became active.

    Any malware found in a vehicle should be treated as evidence of attempted murder by default, even if it's detected before it actually kills anyone. If you understand the meaning of "arbitrary code execution," that's obvious. If not, please do some studying before declaring that those of us who do understand it are wrong.

  • May 4th, 2016 @ 8:42am

    (untitled comment)

    On the one hand, yes, exemptions are necessary for legitimate access. On the other, I can totally see why such a high penalty would be appropriate for actual malicious hacking.

    If you talk with security professionals, they paint a very different picture than the opinion given here:

    One tends to think of prison terms as being somewhat related to the harm caused and if someone fires off malware that prevents someone from starting their vehicle, there's no way that should be punished by a life sentence. I'm sure the legislators are contemplating worst-case scenarios where someone electronically hijacks a vehicle and causes someone's death, but that sort of thing should be punishable under other laws more commensurate with the end result of the hacking.

    Ask someone trained in computer security how to handle a malware infection, and the answer, if the person you're talking to is competent, will invariably be some variation on "nuke it from orbit; it's the only way to be sure." There are so many places on a computer where malware can hide itself that the general consensus is that there is no way to "clean" an infected system and feel confident afterwards that it's truly gone.

    Needless to say, the ramifications of this are very different for a computer that costs a few hundred dollars to replace, and for a car that costs tens of thousands! Also, along the same lines, there's no way to be sure what malware does simply by analyzing observable behavior, because it could always be waiting for new circumstances to arise in order to then trigger new behavior. The "mostly harmless" virus that prevents you from starting your vehicle may seem like a silly prank that doesn't warrant locking anyone up, right up until you manage to get it started, feeling safe, and then it disables your brakes at 60 MPH.

    There are two ways for the law to deal with this sobering reality. One is to ban all black-box development. Everything must be open-source and thoroughly analyzable by everyone, with system-level enforcement of this requirement. Under such circumstances, it would be possible to be sure that a system has been cleaned without having to throw it out. But the industry would never go for it.

    The other is draconian-grade deterrence, which is what we're seeing here. Until the first alternative can be implemented, it is, unfortunately, really the only reasonable option available.

  • Apr 29th, 2016 @ 4:24pm

    Re: Re:

    The two are one and the same. The thing most people don't get these days is that racism was never about racism. It was always simply a means to an end, and that end was profit.

    If you look at historical documents of Southern slaveholders' anti-emancipation arguments, you find very little in the way of ideological justification for racism for its own sake. In fact, what you do find sounds surprisingly modern, basically boiling down to "if you force us to treat our laborers like human beings, it will DESTROY OUR ECONOMY!!!!!!"

    The only real difference is, it used to be black laborers being oppressed, and now it's everyone.

  • Apr 29th, 2016 @ 3:20pm

    Re:

    No, they're in favor of establishing corporatocracy by using the specter of "big government" as FUD to thwart any efforts to rein in large, abusive corporations.

  • Apr 29th, 2016 @ 1:35pm

    Re: Re:

    So the Internet is OK, but the entire rest of ARPA, and the results it's produced, simply doesn't exist?

  • Apr 29th, 2016 @ 12:08pm

    (untitled comment)

    On the first one, they talk about increasing funding for innovation. That's not a bad thing, per se, but it almost never works when the government is the one behind such a project.

    ...
    ...
    ...
    seriously?

    Are you even aware of where the Internet, that you use to post that ridiculous line, came from?

  • Apr 29th, 2016 @ 11:36am

    Re: Re: Hashing is not encryption

    No, it's not encrypted data. The essential characteristic of encrypted data is that it can be decrypted. Hashed data can't be un-hashed back to the original data, because it throws away information.

    As for where I heard it, it's common knowledge among people who work in this area. Simply Googling "difference between hashing and encryption" turns up plenty of useful references.

  • Apr 29th, 2016 @ 10:45am

    Hashing is not encryption

    Just a minor nitpick: a hash is not encryption, by definition. Encryption is something that can be decrypted back to the original plaintext if you have the key. With a hash, there is no key and no way to restore the original plaintext--which is why you use hashing, rather than encryption, to store passwords.

  • Apr 29th, 2016 @ 9:49am

    Re:

    Problem is, this is not abuse of the DMCA. This is people using it exactly as designed: a process that allows content that someone claims violates the law to be removed under color of law without having to go to all the pesky effort and expense of actually proving that the law has been violated in court.

    When the stated purpose of the law is to provide an end run around a legal system that filters out fraud and illegitimate business practices, it's hard to make any serious claim that using it for fraud and illegitimate business practices is "an abuse" of the DMCA. This is the DMCA takedown system doing exactly what it was designed to do: facilitate the legitimization of fraudulent copyright claims with no Presumption of Innocence, no Due Process, and no accountability.

  • Apr 29th, 2016 @ 8:45am

    (untitled comment)

    Wow. Hijacking the identity of a major publisher is such a ridiculously stupid move, the very idea of it Hearst my head!

  • Apr 29th, 2016 @ 8:27am

    Re: Re: Re: Re: How to turn off microsoft's notice

    I disagree about content creation, but to a certain degree it depends on what kind you're doing. Certain very specialized things are dependent on Windows software.

    ...or on Apple's, if you don't mind going from bad to worse. But it's hardly "very specialized things;" most of the most fundamental content creation tools simply aren't available. There's no Photoshop on Linux and no alternative to it, for example. (Some people who have never actually used both Photoshop and GIMP suggest GIMP as an alternative. Those who are actually familiar with both programs are much more likely to use it as support for my position. It's that bad.)

    And there's a number of things you can do with Linux that you can't do with Windows (at least not without great difficulty).

    Let's pretend, for a moment, that the "you" in question is not me, lifelong computer programmer, but rather John Q. Person, who sees computers as a tool to use rather than a thing to tinker with. How confident are you in that statement, and particularly in its relevance to things that I would actually ever care about doing?

  • Apr 29th, 2016 @ 7:47am

    Re: Re: Just upgrade already, sheesh

    Please don't feed the trolls. Just click Flag and move on.

More comments from Mason Wheeler >>