sigalrm’s Techdirt Profile


About sigalrm

sigalrm’s Comments comment rss

  • May 28th, 2015 @ 12:32pm

    Re: Re: Re:

    Yikes, that got ahead of me.
    Above should read "The purpose of the controlled disruption is to destroy the potential bomb without allowing it to detonate."

  • May 28th, 2015 @ 12:30pm

    Re: Re: Ok, seriously, what the hell?

    Or they used the golden key encryption, and someone bad got a hold of the key.

    The end result would be identical.

  • May 28th, 2015 @ 12:27pm

    Re: Re:

    Generally not, actually.

    The purpose of the "controlled disruption" as opposed to is to destroy the potential bomb without allowing it to detonate.

  • May 28th, 2015 @ 11:14am

    Re: Re: Last Saturday's Slashdot post....

    He might have only spent a dollar, that he paid back, but corporate legal counsel isn't cheap, and Starbucks probably feels that they were "forced" to drop probably a couple thousand on legal fees as they consulted their attorneys...

    Talk about an asymetric threat....

  • May 28th, 2015 @ 10:21am

    Re: Contact the approptiate authority

    "Simple", "Obvious" solutions like this tend not to be viable in the real world.

    Consider: You're proposing the creation of a viable and effective centralized repository of corporate vulnerabilities.

    No matter how many pledges, agreements, treaties, or whatnot were implemented to the contrary such an organization would be an irresistible target for Nation States, Spies (corporate & other), and other malicious actors, and while hacking of the repository would be an issue, so would the blackmail, coercion, and bribery of it's employees.

    Such an organization would be compromised before it was even operational.

  • May 27th, 2015 @ 3:45pm

    Re: Re: Re: What does the FBI care?

    "Here's your aircraft back. By the way, while in was in our custody, it was used a part of an undercover sting operation, and subsequently rendered un-airworthy as a result of a fire fight with members of a mexican drug cartel. Hope that's not an inconvenience.

    Oh, and you might want to get the pilots seat cleaned before you sit in it."

  • May 27th, 2015 @ 7:55am


    Who cares that it took highly skilled and organized techno-ninjas? The Government cares. Deeply.

    Because if the American public ever figures out that the technical capability to pull off hacks like this one, Sony, etc, is often easily within the reach of a bunch of random teenagers with Live CD's, things are going to get bad for the country, and fast, as people lose trust in the banking system, healthcare systems, etc.

  • May 26th, 2015 @ 5:20pm

    Credit Monitoring....

    I have to wonder...Are there any adults in the US who don't have a decades worth of accrued "credit monitoring" available to them at this point?

  • May 26th, 2015 @ 5:17pm


    The younger the individual, the higher the odds that the answers to most "common" security questions - Mothers Maiden Name, What street did you live on a a child, First/favorite pet, first boyfriend/girlfriend are readily available on Facebook.

    I know this to be true for myself, even if I didn't provide the information. And it's certainly true for both of my kids. And one of them doesn't have a Facebook account (yet).

    It's not a coincidence that for years now, when someone's webmail account is "hacked", the mechanism is almost always the password recovery feature. This is becoming less the case as Google, Yahoo, MS, etc catch on, but it still happens with depressing frequency.

  • May 20th, 2015 @ 2:19pm

    Re: Re:

    With regards to stuxnet, the argument has been made publicly in at least one other forum that Stuxnet's intended target doesn't apply because the facilit(y|ies) in question were being used for weapons research and not power generation or any function that would directly impact their civilian population if it were to go offline.

    Whether or not that's correct would seem - to me - to really come down to the finer points of how "critical infrastructure" is defined.

  • May 19th, 2015 @ 3:25pm

    Re: That's a red flag

    "What's so bad about police being governed by the communities they represent?"

    Well for starters, it's generally considered bad military doctrine to allow the enemy to know the full extent of your capabilities.

    Also, the communities might say "No." Can't have that...

  • May 13th, 2015 @ 2:57pm


    Well, Field Manual 1984 states quite clearly that's how the proletariat should be handled.

  • May 13th, 2015 @ 2:14pm

    Re: Re:

    "My politician is honest. It's all the others that are crooks".

    It's cognitive dissonance at enormous scale.

  • May 13th, 2015 @ 2:11pm


    Or what he _thinks_ they have on him.

  • May 13th, 2015 @ 2:07pm

    Re: Wait, what?

    It's not about going after enough people.

    It's about going after potential terrorists. Which can be easily defined as "Everyone on the planet who doesn't work for the NSA

  • May 1st, 2015 @ 2:18pm

    Re: What about the driver "agreed"?

    Coercion works wonderfully well for the cartels the DEA is fighting - why would you expect the DEA to deprive itself of such an effective tool?

    At the end of the day, I think Nietzsche has it covered quite succinctly: "He who fights with monsters might take care lest he thereby become a monster. And if you gaze for long into an abyss, the abyss gazes also into you."

    When the tactics of the "good guys" start to be indistinguishable from those of the "bad guys", it's time to take a step back and re-evaluate the situation. Because lets face it - the DEA's actions here - aside from the court fight - are identical to some of the tactics cartels use.

  • Apr 28th, 2015 @ 8:37am

    Re: Re:

    from m-united-flight/

    "Roberts recently noted the lack of response he's had from manufactures in the aviation industry for the past five years"

    I was at a registration-required, but otherwise public, conference Roberts presented at few (3 or 4) years ago, and had an opportunity to speak to him a bit one on one about some of this (I was actually attending the conference for free as part of a deal Infragard had worked with the conference organizers).

    This isn't a new thing, It's not the first time the airlines and feds have been notified about these problem, and it's not going to get fixed anytime soon.

  • Apr 23rd, 2015 @ 1:00pm



    "Reclassify the internet as not a public utility" should read "Reclassify the internet as a public utility"

    Anyone else ever with there was a way to edit comments here?

  • Apr 23rd, 2015 @ 12:52pm


    "This merely pushes the issue back one level. It is perfectly possible to store encrypted files on an encrypted file system. There is no requirement that the two encryption schemes share a common origin, scheme, or code base. You likely do this every day without realizing it: what do you think audio codecs are, or image/file compression?"

    Pushing the issue back one level would be regarded as a significant win by the folks proposing this, as it dramatically reduces the number of people out there capable of working around the technical control. As to the other point above, as you say, there's no requirement, per se, for any common format or code base, but realistically, if you want to communicate effectively, you need some sort of a common system, and whether or not they realize it, most people aren't sufficiently competent to roll their own. This leads, inevitably, to common systems, format, code, and ciphers.

    "If the government does mandate broken encryption on a device, you can bet that anyone wanting to keep their files secret will just put another private layer on."

    Given de-facto control of an OS, there's very little that can be done on a system that you can't also control.

    Also, onto your final point: not all problems can be solved with technology, which is why you back up the technology with:
    ... or you could just go the route England did: "unencrypt this for us or go to jail".

    It's not "or", it's "and". Possible financial and reputational ruin, coupled with the possibility of jail time, is a fairly hardcore administrative control.

    Never underestimate the effectiveness of a public execution (literal or figurative). The hard core penalties sought by prosecutors under, e.g., the CFAA - think Aaron Schwartz, or Deric Lostutter (who's hacking under the alias KYanonymous brought about 2 rape convictions), and is now facing more prison time than the rapists because of it? Yes, prosecutors will put the person away for a long time, but that's arguably a secondary goal - The primary goal - and we hear it stated over and over by prosecutors, county sheriffs, police captains, etc - is deterring other people from undertaking similar actions.

  • Apr 23rd, 2015 @ 11:41am

    (untitled comment)

    "So how does the government go about making these shared key schemes mandatory? Bernstein v. United States established that source code was an expression covered under the 1st Amendment."

    The US Government can't (legally) regulate the source code. So what? They don't have to. They can regulate access to public utilities.

    Reclassify the internet as not a public utility. (for bonus points, subsidize access to it to ensure no one is left out based on their ability to afford it) and then specify the technical requirements for connection to it. Make one of those technical requirements "responds appropriately to key escrow validation query" or something similar and they're set. No valid response? No network access for you, and the technical data about the system gets logged for investigation.

    Mobile providers are already regulated this way, so no issue there - they just need to add back-end hooks to make sure the OS is "government approved".

    The technical capabilities already exist to do this at medium to very large scale, but they might require some tweaking to scale appropriately to, say, Cox Communications or Verizon Internet. Google "posture validation" and "network admission control". For a fair number of these networks, the code is already in place, and just needs to be licensed and configured.

    And yes, posture validation systems - as with any security related system - can be bypassed. Which is why the technical controls would/will be backed with administrative controls (Make it a felony to bypass "any technical control intended to regulate access to a public utility) and aggressively prosecute anyone caught attempting to do so. Oh. And the CFAA still applies.

    It might take a decade or so to accomplish, but it's certainly doable. And frankly, you don't even need 100% coverage. just get the percentage of covered devices high enough to where it's possible to evaluate the outliers and you're "close enough"

More comments from sigalrm >>