TKnarr’s Techdirt Profile

tknarr

About TKnarr




TKnarr’s Comments comment rss

  • Dec 3rd, 2018 @ 12:58pm

    (untitled comment)

    There's another solution to the situation, the same solution that the software industry's "responsible disclosure" farce encourages for handling bugs and vulnerabilities. Instead of sources talking to reporters privately and reporters filtering the information to avoid disclosure of anything not truly needed, sources contact reporters anonymously and mass-dump all the original materials through a service like Wikileaks that allows for large-scale duplication making it all but impossible to shove the documents back in the safe. Then reporters don't need to vet the source, they can vet the original documents and report based on that. If the reporter never knows who provided the information, they can't reveal more than that they don't know the source's identity. The government can go chase the original documents and the original source, but the material's still out there regardless so they won't accomplish their goal. Sources of course need to make sure they're untraceable when uploading the information, but that's what they're having to do already so no major change there.

  • Nov 19th, 2018 @ 1:51pm

    (untitled comment)

    I think the biggest thing would be to stop requiring judgements to be "reasonable" in the aggregate. Work up an average cost for an individual to deal with the results of a data breach (including their own personal time), then by law set the liability of the data collector per individual exposed at either that average or the actual documented costs, whichever is greater, plus legal costs and fees. 50 million records exposed at an average cost of $200 per person to fix? Total liability starts at $10 billion and goes up from there, plus lawyers' fees on top of that. No trying to figure a reasonable total penalty, you take the reasonable cost per individual and multiply it by the number of individuals and the company's responsible for contacting all individuals affected.

  • Nov 19th, 2018 @ 1:40pm

    Re: Is there a deadhand option?

    There isn't an easy way to set up an automatic wipe like you describe, but many phones have an option to encrypt the storage (internal and SD card) so that a password has to be entered during boot before the phone can even read it's own storage. You'd combine this with a scheduled-reboot app (requires a rooted phone to work) that would trigger a restart of the phone at a certain time each day. You could use a remote-power-off app as well, but doing it automatically on a preset schedule avoids the issue of you having to actively do something after the phone was confiscated. I'd have to dig into whether there's software out there that could invalidate the decryption credentials (forcing a re-entry of the password) if the device is idle for longer than a set time (something like the lock screen, but operating at the hardware layer rather than the level of the UI and external interfaces).

  • Oct 29th, 2018 @ 7:20am

    Re:

    Have to agree. "Don't enable the Submit button before the form's completely ready to be submitted." is a standard thing for any Web page or application. If that button does anything before the form's completely loaded and rendered, the developers failed even India Consulting Firm Coding 101.

  • Oct 21st, 2018 @ 9:53pm

    Re: Response to: TKnarr on Oct 20th, 2018 @ 4:08pm

    As to #2, these chips were installed in the Ethernet connector itself. That means they have access to the physical Ethernet so they can inject their own packets in between legitimate packets. And if you'd read the article, the extra network traffic that would imply was exactly how they were in fact detected according to the author.

    As to #1, go look up the specs for Intel's chipsets like the current X299. They include on-board network hardware (specifically an Intel I219) which is connected to the Ethernet connector itself via a PCIe x1 and the SMBus. That would give hardware embedded in the Ethernet connector a nice neat line into the hardware's internals.

    And perhaps it might be a lot of money. Maybe. Remember that this is China, which specializes in manufacturing chips for electronics manufacturers. I'm pretty sure their government could fund a fab line for the necessary chip, they could probably even piggyback it onto an existing fab line other companies were paying for. Installing it in every Supermicro board manufactured in China wouldn't be expensive, it's just a small tweak to the cost they're already charging Supermicro to manufacture the boards after all. Putting it into every board would actually make it less likely to be detected since there'd be no anomalies in the components to be noticed and the chip is probably on the original blueprints labelled as something innocuous so anyone checking would see that the connector's exactly as specced. You'd need to actually peel the chip apart before you'd find any hint of anything wrong. Or be monitoring for unusual network traffic, and that's often difficult as there's so much and only the most paranoid would go to that effort. Your targets wouldn't be the high-security networks that'd be the main places that'd spot that traffic either, they'd be the lower-security stuff in big datacenters where you can scoop up information from the commercial side where security isn't nearly as tight. Set the chip up to do a limited number of time-delayed pings at first power-up and shut itself off if it didn't get a response and by the time anyone looking notices the traffic and goes hunting for the source the trail's gone cold.

    As for juicy, remember that the government contracts out almost all of it's military hardware. You may not be able to steal the designs from the government, but scoop up the info on what the civilian subcontractors are making for the contractors making the hardware and you can get a pretty good idea what's being delivered. Plus the sheer monetary value of simple commercial espionage, of course, and commercial security is a complete joke as we've witnessed time and time again.

  • Oct 20th, 2018 @ 4:08pm

    (untitled comment)

    https://www.bloomberg.com/news/articles/2018-10-09/new-evidence-of-hacked-supermicro-hardware-found- in-u-s-telecom

    This article covers something that appears different from the original article. It looks plausible: the extra chip is in the connection between the Ethernet connector itself and the internal NICs in the CPU, which'd give it both network access and potentially access to the PCIe bus and/or the internal bus connecting components within the CPU. In a multi-layer motherboard I can see hiding some extra traces that'd be sufficient to give the chip enough access to monitor memory and the hard drives. Add in the claims that the technique was also found in NSA leaks back in 2013 (the TAO catalog from the NSA's Advanced Network Technologies group) and it looks like it falls into the "I really don't want to think they did that, but I can see too many ways they can feasibly do it and I know the potential payoff would be enough to tempt even a saint" category.

  • Aug 17th, 2018 @ 11:07am

    (untitled comment)

    It's probably that the wording is controlled by the marketing and legal departments, who aren't intimately familiar with the internals of the various products. The engineers, who truly know what's going on under the hood, aren't consulted until after the fact (if then). There's also the disconnect in world-view: to the engineers the fact that Weather stores location data in it's own data storage for it's own purposes isn't relevant at all to whether that same data appears in the Location History storage. As long as Weather doesn't feed the data to Location History, the statement that turning off Location History makes Location History stop recording your location is correct even though Weather is still tracking your location so it can show you the weather in places you visit regularly. To make matters worse, I suspect the average smartphone user's understanding is closer to the engineers' than the lawyers' so you end up with not one but two layers of translation errors.

  • Aug 13th, 2018 @ 10:59am

    (untitled comment)

    I think, though, that agent Schwartz would do well to cancel any plans he has for vacations in Mexico for the foreseeable future.

  • Aug 13th, 2018 @ 9:55am

    (untitled comment)

    I'd like to note something that's skipped over here: the nature of the choice companies/platforms give users. All the transparency and control in the world is useless if the choice offered is "give us permission to do anything/everything or don't use our platform/website". Hobson's choice is no choice at all most of the time.

  • Aug 10th, 2018 @ 11:49am

    Re: "Would you look at that, seems I need to leave RIGHT NOW."

    I think judges should start enforcing the rule that once the defendant files anything in the case, even just a response, the plaintiff can't voluntarily dismiss the case anymore without the defendant agreeing to the dismissal. Along with an explicit rule that says the fact that the defendant refused to agree to a dismissal may not be used to the defendant's detriment at any later point in the case (ie. no more saying that if the plaintiff offers to settle and dismiss the case and the defendant rejects it and ends up winning less than the settlement offer the defendant's treated as having lost).

  • Jul 26th, 2018 @ 2:59pm

    Re:

    Remember that their plan isn't to protect their DRM against cracking. It's to protect their ability to sell their DRM to game companies. I'd even bet that their financial people see the DRM being cracked as a revenue opportunity: version N of it being cracked means the game companies have to shift to version N+1, which being a major version upgrade requires buying a new license.

  • Jul 19th, 2018 @ 1:05pm

    (untitled comment)

    When it comes to "balanced" reporting, I just remember what Robert Heinlein had several of his characters expound: the second best way to lie convincingly is to tell the truth but not all of it. Report the facts but omit some crucial ones so that people reading the material will get a distorted view and jump to incorrect conclusions.

    A lie of omission is still a lie.

  • Jul 11th, 2018 @ 7:35pm

    Re: Re: Re: It's not just games though

    With Calibre there's no time spent on the book. You need a few minutes when you install the plug-in to configure it with the info from/for your reader. After that the plug-in operates in the background, silently removing the DRM as you import the e-book into Calibre. I haven't seen it add any appreciable time to the import either, so it's basically negligible overhead.

  • Jun 25th, 2018 @ 12:56pm

    Re:

    What'd be even better is if the court ruled that since the government has no authority to retaliate in this manner and the councilmembers knew or should have known this, their actions cannot have been in the course of their duties and they are personally liable for the damages (and if they want the city to pay they'll have to sue it themselves).

  • Jun 19th, 2018 @ 12:49pm

    (untitled comment)

    I think the out is in the fact that the prohibition is on a party requiring disclosure of source code owned by a different party. In the case of open-source licenses, the party requiring the disclosure is the one who owns the code. In such a case they wouldn't be demanding disclosure of source code owned by a different party and the prohibition wouldn't apply.

  • May 22nd, 2018 @ 11:27am

    Re: Re: Amusing

    The idea isn't to get a ruling about whether it's de minimis fair use. The idea is to get a ruling that the defendant (HBO) can't raise de minimis fair use as a defense either because they've themselves prevailed on the claim that de minimis use is still infringing or (better, because it'd apply to all media companies and not just HBO) that de minimis use doesn't make it fair use. This would hit the media companies hardest because they have the widest variety of possible-fair-use occurrences in their product and are open to claims from the largest number of copyright holders.

  • May 21st, 2018 @ 8:11pm

    (untitled comment)

    I almost wish the plaintiff's attorney had gone and found cases where HBO had made the same sort of "any use is infringement, no matter how minor" argument and won, and used that to shoot down HBO's defense here just to drive home to the media companies the point that their idea of how copyright works is just as dangerous for them as it is for the public.

  • May 16th, 2018 @ 8:41pm

    Re: Re: Better yet…

    That isn't intermediary liability though. The government decided where to place the crosswalk, so they'd be directly liable for their choice. Intermediary liability would be holding the contractor who painted the crosswalk where the government told him to liable for the government's choice.

  • Apr 9th, 2018 @ 3:05pm

    Re: Who appoints the arbiters?

    It's not so much that the firms have a built-in bias in favor of Facebook as that Facebook's the only party that can select arbitration panels and it deliberately selects panels that favor Facebook. Basically case 2 quickly and inevitably becomes equivalent to case 1 unless the selection process is designed to prevent any single party from having sole control of the selection of arbitration panel.

    Knowing how things have gone in the binding-arbitration area, I'm inclined to believe any businessman's proposal of another arbitration system will go the same way until I'm presented with evidence to the contrary.

  • Mar 21st, 2018 @ 8:06pm

    Re: Predicting DOOM beyond all reason. A boy who cries werewolf!

    No, it's that under the new law platforms will do less policing or more likely no policing at all simply because that's the only way to avoid being run out of business by lawsuits and criminal charges. Such an improvement.

More comments from TKnarr >>