sigalrm’s Techdirt Profile

sigalrm

About sigalrm




sigalrm’s Comments comment rss

  • Feb 13th, 2020 @ 12:22pm

    ..and this is why backdoors mandated for law enforcement is bad

    From the article:

    "U.S. officials say Huawei Technologies Co. can covertly access mobile-phone networks around the world through “back doors” designed for use by law enforcement"

    Yup. They're talking about "Communications Assistance for Law Enforcement Act" (CALEA) Lawful Intercept interfaces. These are backdoors built into telco equipment specifically in order to allow for easy electronic surveillance in accordance with US Federal Law.

    Information about those standards is available here: https://ndcac.fbi.gov/file-repository/listandardscip-1.pdf/view

    So the US Government is claiming is that a telco equipment vendor (Huawei, in this case) has the ability to access the backdoors the US Government requires be built into telco equipment, to which the short reply should be:

    "Of course they do - Huawei is required by the US Government to install the back door, which necessarily gives them access to the source code supporting it, and therefore access to the LI interface."

    Funny that other, US-based telco equipment vendors in the exact same position aren't also being held up as spies.

    This is a timely, real-world example of why "good-guy access only" crypto is a bad idea - provided by none other than the US Government itself.

  • Jan 14th, 2020 @ 2:07pm

    Re:

    It's definitely circumstantial, but a win7 VM that I use on a regular basis got an updated version of c:\windows\system32\crypt32.dll this morning after I ran windows update on the system.

    The timestamps on the file show a modification date of 12/10/2019 12:32AM, and a local file creation date of 1/14/2020 11:32AM.

    I'm pretty sure that file hadn't been touched since I did a new install on the VM back in the June time frame, and outside of this vulnerability there aren't a lot of reasons that MS would have re-built it and distributed it if it hadn't been subject to the same vulnerability.

  • Apr 3rd, 2019 @ 8:31am

    Re: A major HIPAA violation

    Actually, it's a little simpler. These companies don't fall under HIPAA.

  • Apr 3rd, 2019 @ 8:30am

    Re: Data protection

    If the EU government is anything like the US government, Every major law along the lines of GDPR is going to have a carve outs for law enforcement.

    In the US, it's practically boilerplate language.

  • Apr 3rd, 2019 @ 8:24am

    Re: Re: HIPAA

    Actually, the trigger for HIPAA coverage isn't actually medical treatment, it's insurance billing. (Remember, it's the "Health Insurance Portability and Accountability Act".

    Covered Entities are generally directly associated with insurance billing, and Business Associates get looped in by providing services to Covered Entities.

    There are a limited number of places that offer medical services and are strictly private payer, so they wouldn't come under HIPAA unless they're also working in conjunction with a CE.

    23&me, Family Tree DNA, etc, don't bill insurance, so they don't fall under HIPAA as Covered Entities. And since their tests aren't CLIA validated, there's pretty much no chance of their results being used in clinical decision making, so they almost certainly don't have Business Associate Agreements in place with any Covered Entities.

  • Dec 11th, 2017 @ 4:22pm

    Re:

    Google isn't a covered entity, but if the doctor publicizes the fact that this person actually did visit him in a professional capacity, that would violate HIPPA laws.

    1/ HIPAA, Not HIPPA

    2/ HIPAA would probably be a factor, but it's not a given. There are a few cases where HIPAA wouldn't be in play, legally speaking.

    3/ Google does sign Business Associate Agreements with HIPAA Covered Entities, which means there are instances where HIPAA is a factor for Google.

    4/ Even if HIPAA isn't in play, there should be a at least one and possibly several licensing/accrediting bodies that are.

    5/ HIPAA and 1-star reviews notwithstanding, this guy is going to put himself out of business with his own actions. And deservedly so.

  • Oct 26th, 2017 @ 9:55am

    (untitled comment)

    It would be interesting to ask how many of those 6900 inaccessible devices have completely stalled an investigation.

    I'd wager the answer is "not many".
  • Oct 18th, 2017 @ 11:19am

    Re: He did more than deprive someoneone of their liberty falsely

    > He should be facing maximal criminal charges.

    Realistically speaking, a police office getting fired for their conduct is about as "Maximal" as it gets when there's no loss of life involved.
  • Oct 10th, 2017 @ 9:52am

    Re: Re: Re: PureVPN was recommended by TechDirt

    Fortunately, I just use it for hiding from my ISP and not for privacy.

    This is the piece most people miss - they fail to accurately determine what their threat model is, and then get upset when they pick the wrong countermeasure(s).

    VPN's are not one-size-fits-all.

    PureVPN is probably just fine if you're trying to hide your porn habit from your moderately technical partner/spouse/parent/child, hiding your job search from your boss, want to watch the newest episode of the Orville from a geo-restricted IP address, or just don't want Verizon selling your browsing history to a marketing firm.

    If you're planning on doing something where subpoenas or warrants could get involved, VPN Platforms recommended by sites like Techdirt are probably not your best option. Additional research (from a location not trivially tied to you) is strongly recommended.

  • Oct 10th, 2017 @ 9:29am

    Re: Re:

    The VPN logs only showed when he was online, and from what IP addresses, and at what times.

    In other words, the VPN logs only contained metadata.

    This is a perfect example as to why it's so disingenuous when the Law Enforcement and Intelligence communities claim it's no big deal because they're only collecting metadata and not content.

  • Aug 23rd, 2017 @ 8:01am

    Re: Re: Re: Re: Re: Use a VPN!

    Exactly. Duration of the stream would be an indicator, as well.

    If the telco sees multiple sequential constant-ish rate downloads with minimal return traffic, lasting either 20-23 minutes or 45-49 minutes (standard 30/60 minute US tv time block, minus commercials) and they can be reasonably certain it's video.

    Coupled with many VPN platforms being trivially fingerprinted and identifiable by the types of network equipment in use by telco's, and it gets to be pretty easy to either QOS the user or the VPN platform down to an "acceptable" rate by the telco.

    They don't have to be exact, just close enough. And since 3rd party VPN performance is generally pretty lacking, being locked to a 10mbps stream may not actually be noticeable to the user.
  • Aug 22nd, 2017 @ 3:53pm

    Re: Re: Re: Use a VPN!

    I'd suggest that it's a mistake to equate the technical capabilities of an overworked, multi-tasked School District network administrator with the technical capabilities of a telco network analyst.

    Yes, you can tunnel everything except the metadata.

    Having worked on the telco engineering side: Metadata is pretty much always sufficient to perform whatever network management function is needed. If Verizon wants to rate limit video traffic encapsulated in an IPSec, SSL, l2tp, or whatever tunnel technology tunnel, it's a safe bet that they can.
  • Aug 22nd, 2017 @ 2:11pm

    Re: Use a VPN!

    Leaving aside the question of finding a VPN platform that can be used to stream 4k video, it should be noted that a VPN doesn't necessarily help here.

    Practically speaking, there are a limited # of activities one can utilize a mobile phone for that will consume as much data as a video stream on a sustained basis.

    If you run a 1080p or better video stream over your mobile device for any real length of time, Verizon will be able to make some very intelligent guesses as to what you're doing without having to know the specifics.

    Cue Rate Limiting.
  • Aug 22nd, 2017 @ 1:57pm

    Re: Wait....

    From a technical perspective, Verizon is probably using QOS to rate limit streams identified as Netflix traffic to 10mbps.

    The Netflix client registers packet loss and sends feedback to netflix, which then downgrades video quality until the client no longer reports dropped packets. This results in a graduated step-down in video quality from 4k -> 1080 -> 720 -> 480.

    On the Verizon side, it's just math: determine how much bandwidth is needed for each video tier and drop anything above that value.
  • Aug 22nd, 2017 @ 8:57am

    Re: Another reason to cord cut

    With netflix, you can watch (some content) _on_ the plane, as well, as long as you've had enough foresight to download it to a tablet/phone ahead of time.
  • Aug 16th, 2017 @ 2:50pm

    Re:

    Or the authors live in Comcast territory.
  • Jun 23rd, 2017 @ 2:12pm

    (untitled comment)

    Ok, I give up - what exactly does it look like when someone is "visiting the dark web"?
  • Jun 22nd, 2017 @ 8:56am

    We're back to Correlation vs. Causation

    "They would get the phone and lock themselves in their room and change who they were," he said. With one of his sons, then 12, he thought the problem became bad enough to warrant taking the phone away.

    Yeah. A 12 year old boy locking himself away in his bedroom is more likely to be caused by puberty than a smartphone.

  • Jun 13th, 2017 @ 11:09am

    Re: Hmm

    More likely, it's this:

    Covered entities that experience a breach affecting more than 500 residents of a State or jurisdiction are, in addition to notifying the affected individuals, required to provide notice to prominent media outlets serving the State or jurisdiction. Covered entities will likely provide this notification in the form of a press release to appropriate media outlets serving the affected area. Like individual notice, this media notification must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach and must include the same information required for the individual notice.

    (from https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html)

    My money is that they're trying to pare down the scope of the breach to get under that 500 record mark, so that they don't have to go on the 5:00 news to advertise it.

  • Jun 7th, 2017 @ 5:25pm

    Re:

    And the lesson is...lie when providing your name for such tests.

    If the test is being performed by a company like 23andMe or Ancestry, don't lie. Just don't submit a sample.

    Because the life/lives you could accidently ruin might not be yours.

    https://www.vox.com/2014/9/9/5975653/with-genetic-testing-i-gave-my-parents-the-gift-of-divor ce-23andme

More comments from sigalrm >>


This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it