sigalrm 's Techdirt Comments

Latest Comments (278) comment rss

  • On the post: Do You Want A Police State? Because This Is How You Get A Police State

    sigalrm ( profile ), 26 Jan, 2017 @ 09:50am

    Re: Re:

    The US, as a society, has been hearing a constant refrain of "the world is an ugly, scary place, and anyone who isn't a true American wants to kill you in a horrific fashion. Be Afraid, Be Very Afraid" from mass media for at least a couple of decades now. Sometimes it's subtle, sometimes it's overt, but it's been pretty much continuous.

    That a large number of people are legitimately terrified and feel a strong desire for someone, anyone, to protect them at any cost shouldn't be a surprise.

    It's sad. But utterly predictable.

  • On the post: Trump Muzzles Federal Employees; Reporters Start Asking For Leaks

    sigalrm ( profile ), 24 Jan, 2017 @ 03:50pm

    Re: Hopefully Trump doesn't go after the AP like Obama did

    no need to investigate when you have Alternafacts at your disposal.

  • On the post: Trump Muzzles Federal Employees; Reporters Start Asking For Leaks

    sigalrm ( profile ), 24 Jan, 2017 @ 03:48pm

    Re: Hm

    You may think you don't care about HHS. But consider that the operating divisions for HHS include, but are not limited to:

    • Administration for Children and Families,
    • Agency for Healthcare Research & Quality,
    • Agency for Toxic Substances and Disease Registry,
    • Centers for Disease Control & Prevention (CDC),
    • Centers for Medicare & Medicade Services (CMS)
    • Food & Drug Administration (FDA),
    • National Institutes of Health (NIH), and more.
    more here: https://www.hhs.gov/about/agencies/orgchart/ These all roll up under HHS, and are presumably all subject to this gag order, given HHS as the parent organization. US Department of Commerce? Yeah. That includes:
    • NOAA,
    • NIST,
    • The Patent and Trademark Office, and more.
    Also all presumably under a gag order. More here: https://www.commerce.gov/sites/commerce.gov/files/media/files/2015/docorgchartfinal.pdf One or two of those might be important.

  • On the post: Arrested Flag Burner Sues Arresting Officers

    sigalrm ( profile ), 24 Jan, 2017 @ 11:08am

    Re: Re: Burning Flags - So Asinine

    To quote Malcom Reynolds, "It's my estimation that every man ever got a statue made of 'em was one kinda sombitch or another."

    "Polite" people rarely get noticed enough to make history.

  • On the post: Arrested Flag Burner Sues Arresting Officers

    sigalrm ( profile ), 24 Jan, 2017 @ 11:02am

    Re: Strange

    "what is all the fuss about?"

    It's all about the feels.

  • On the post: Arrested Flag Burner Sues Arresting Officers

    sigalrm ( profile ), 24 Jan, 2017 @ 09:59am

    Re: Get money from the state

    No, but the State of Illinois is insured.

    Prediction: there will be a payout, and the case will quietly go away.

  • On the post: Baltimore Ravens Owner Has Ingenious Solution For NFL Ratings Drop: Stop Annoying Fans With Too Many Ads

    sigalrm ( profile ), 23 Jan, 2017 @ 01:12pm

    Re: Re: Be careful what we wish for

    "render" would be a better word than "replace".

  • On the post: Baltimore Ravens Owner Has Ingenious Solution For NFL Ratings Drop: Stop Annoying Fans With Too Many Ads

    sigalrm ( profile ), 23 Jan, 2017 @ 01:12pm

    Re: Be careful what we wish for

    Why be so subtle?

    They already do a lot of near-real time video modification (Line of scrimage, first down lines, player highlights).

    What if, instead of a football, they simply replace the football with, say, a can of Coors Light trailing a silver line (so you can see the trajectory). Or replace all the linemen with images of pick-up trucks, the QB as a Tesla, and the receivers as Cadillacs. Catching cans of Coors. With a ticker sponsored by MADD (Mothers Against Drunk Driving) on the bottom of the page.

    the who field can be replaced with a Verizon/TMo/whoever network map, showing how well mobile connections can be established from point A to B.

    The possibilities are nearly limitless.

  • On the post: Techdirt's First Amendment Fight For Its Life

    sigalrm ( profile ), 12 Jan, 2017 @ 07:51am

    Re: Re: Re: Re: Re: Re: Re: Re: Re: What goes around, comes around

    "If one folds, others may too. "

    Not "may". "will".

  • On the post: Amazon Refuses To Comply With Police Request For Amazon Echo Recordings In Murder Case

    sigalrm ( profile ), 28 Dec, 2016 @ 08:09am

    Re: did they overlook this?

    "On a separate note do you think that Amazon refused the request because it turns out they've got recordings of everything from the factory QA testing forward for every device?"

    IMHO, probably not.

    For that to be the case, Amazon would have to upload the data at some point, and the first thing privacy wonks do with a device like this is throw a up a sniffer and watch all of the traffic these things emanate.

    If they were seeing anything like a constant data stream or unreasonably large periodic bulk flows from an Alexa device to the mother ship, they'd have screamed about it.

    Given what the device does, the outbound data flows will follow fairly predictable patterns if it's truly behaving as advertised.

  • On the post: Amazon Refuses To Comply With Police Request For Amazon Echo Recordings In Murder Case

    sigalrm ( profile ), 28 Dec, 2016 @ 07:32am

    Re: Semi secure at best

    "For the semi secure types there's a button that can be used instead of allowing the mic to be on 24/7 i.e. push-to-talk."

    Someone needs to open up an Alexa and determine if that button is software-driven, or is hard-wired into the electrical path to the microphones.

    I'm guessing it's software-controlled, in which case, it's going to be fairly easy to circumvent with an updated/custom OS.

  • On the post: Amazon Refuses To Comply With Police Request For Amazon Echo Recordings In Murder Case

    sigalrm ( profile ), 28 Dec, 2016 @ 07:20am

    There are 3 things (at least), not 2 to worry about.

    "...and then you have two potential problems: first, what does the company giving you the service do with that info and, second, what would third parties (e.g., law enforcement or hackers) like to do with that info if they could get a hold of it. "

    Actually, you have at least 3 potential problems: the two above, plus: How long will it be before Amazon is presented with - or is compelled to produce - an "Alexa, Law-Enforcement" version of their software for targeted installation on these devices, along with the new, standard issue Rule-41 based warrant + gag order?

    The code to build an Alexa on a Raspberry Pi is already on Github, it's not a stretch to tweak it from "watch for keyword and upload next 30 seconds of audio" to "upload all audio."

    Amazon didn't say "come back with a warrant" out of the goodness of their hearts. They don't want US Government to kill what could end up being their flagship product in its infancy.

  • On the post: Appeals Court To Cops: If You 'Don't Have Time' For 'Constitutional Bullshit,' You Don't Get Immunity

    sigalrm ( profile ), 18 Nov, 2016 @ 03:35pm

    Re: Are We Learning?

    Shooting your own dog will almost certainly result in animal cruelty charges.

    It's only ok when the police do it for you.

  • On the post: Long Time Mass Surveillance Defenders Freak Out Now That Trump Will Have Control

    sigalrm ( profile ), 14 Nov, 2016 @ 09:14am

    Re: Not Me, Couldn't be, then Who?

    No, they haven't been living in a vacuum.

    Ben Wittes has (had?) a blind faith in the inherent "goodness" of the US Government, based on a vastly different set of starting assumptions.

    Now, he's being forced to revisit some of his first principles. This is a good thing, because he's respected in his communities in ways that groups like this one are not, which means in theory he has an ability to influences said communities.

    Expect some fairly sharp changes in mentality from pundits in the next couple of years. Hopefully they don't come too late to make a difference, although I expect that they have.

  • On the post: Election Day CyberFest: Hackers, Hacking, 'Journalism,' The FBI, And Jiveass Baloney

    sigalrm ( profile ), 09 Nov, 2016 @ 12:20pm

    Insecure voting machines are nothing new

    "Add into the fun a set of researchers finding (SHOCKER!) voting machines to be terribly insecure. That in itself isn't new, but letting everyone in on how exactly to do it certainly is."

    People having been ringing the "holy crap voting machines are insecure bell" publicly for more than a decade.

    See: https://citp.princeton.edu/research/voting/

    Their paper was published in Sep., 2006, but was pretty much ignored by mainstream media.

  • On the post: 'Nice Internet You've Got There… You Wouldn't Want Something To Happen To It…'

    sigalrm ( profile ), 21 Oct, 2016 @ 03:13pm

    Re: Re: Re: Re: Re: Nerd Harder!

    (ok, so that got long. Sorry about that).

    But fundamentally, if we want anything resembling a secure IoT, we're going to have to figure out a way to make it more expensive for companies to ship a vulnerable product than it is for them to fix it first, because the attack surface isn't going to get smaller.

  • On the post: 'Nice Internet You've Got There… You Wouldn't Want Something To Happen To It…'

    sigalrm ( profile ), 21 Oct, 2016 @ 03:10pm

    Re: Re: Re: Re: Nerd Harder!

    here's a more solid start, based on use of MITRE's CVE system.

    Assume Samsung is selling IoT enabled toasters, because why not. Everything's better with a network stack. Anyway, MSRP on this toaster is $100usd and Samsung releases the product Jan 1, 2017, and ships 1000 toasters.

    Now, if there are no open CVE's on any component of the IoT stack on this toaster in the 90 days before Samsung ships, they're effectively insulated from liability. Oh, and in that world, the sky is Fuscia.

    But, If there is an open CVE was announced >= 90 days before Samsung launches the product, and it gets exploited, Samsung is the hook for 5% of the MSRP for each unit sold of said product for every 90 days of age on the CVE.

    Example: Samsung begins selling their IoT enabled toaster (MSRP == $100usd) on Jan. 1, 2017. And they sold 1000 of them on day 1. Said toaster has a vulnerability that was announced on Aug. 15, 2016 (just outside the 90 day grace period). If one of these toasters gets exploited and causes trouble, Samsung is going to write a check for (5% of $100) == $5 for each of the 1000 toasters sold as of the date of the CVE being exploited, plus the same fine going forward for each non-patched unit they sell.

    Now, pretend that vuln wasn't released on Aug. 1, 2016, it was release on Aug. 1, 2016. Same ship date, same quantity. Except now instead of 5% per toaster, it's 10%. Add 5% for every 90 day interval of CVE age. Also, allow the total penalty per unit to exceed 100% of MSRP with no upper bound. So, you release an IoT enabled toaster with a 12 year old ssh vuln, and it gets exploited? assume qty 4-90 day periods / year to make it easy, now your penalty is (48 * $5) = $240 * 1000 = $240k in fines for each $100MSRP toaster you sold.

    And why use MSRP as the basis for the penalty? Well, because it's both easy to validate and publicly verifiable.

    No grace period, no appeal, cut a check to a high school to fund a secure coding class, because CVE's are public and theres no way the organization "couldn't have known".

    Oh, and multiple CVE's? 5% per CVE, and scale it out.

    If you can verifiably patch these toasters 100% then you restart the clock from the time the patch was pushed to the toaster. If you can't patch them, well, eventually you'll get to write a check big enough to make the board pay attention.

    Bonus: Specifically disallow said penalties as a loss for tax purposes.

    As to your other question: It's a Samsung toaster running a google code, Samsung pays. It's their label. If Samsung wants to go back and fight it out with Google based on contract terms, that's fine, Samsung can attempt to recoup their (already paid) losses from Google.

    (yeah, I know. There's no chance this or anything like it will ever happen.)

  • On the post: 'Nice Internet You've Got There… You Wouldn't Want Something To Happen To It…'

    sigalrm ( profile ), 21 Oct, 2016 @ 12:46pm

    Re: Re: Nerd Harder!

    There's an easy way to fix this.

    Make companies financially liable for security issues in their products in a way that makes securing their software less expensive than not.

    Until that happens, this type of issue isn't going to get better.

  • On the post: FBI Director: We Need More Data On Police Shootings So Law Enforcement Can 'Change The Narrative'

    sigalrm ( profile ), 21 Oct, 2016 @ 08:21am

    Re: Comey's remarks show two parts of the problem

    Reliable data about police use of force is only one piece.

    The raw data must also be released to the public for independent researchers to evaluate, in near-real time.

  • On the post: Yahoo Issues Tone Deaf Non-Denial Denial Of Email Scanning Report

    sigalrm ( profile ), 05 Oct, 2016 @ 12:56pm

    Re: "What we do is legal" and "Our policy is to do X" are standard boilerplate responses.

    Remember, Yahoo only has to hold out long enough for Verizon's check to clear.

Next >>