* Posts by Graham Cobb

577 posts • joined 13 May 2009

Page:

Euro police forces infiltrated encrypted phone biz – and now 'criminal' EncroChat users are being rounded up

Graham Cobb

Re: It's an interesting dichotomy

Which is why the answer is Open Source. While not perfect, it is likely a much better system than one you code yourself and you don't have to trust a small number of people.

The biggest downside is if there is a bug or a weakness, it is easier for your adversary to find. But there is also a large chance someone else will find it and it will be fixed.

Graham Cobb

Re: Matters arising

I don't suppose many of the purchasers bothered to do network traffic inspection testing of the device in use: the captured data could be sent in an unencrypted http message to a police server without anyone likely to notice!

The crims who would notice (who are likely to be government-backed if they are really that sophisticated) will not be using commercially-available WhatsappForCrims services.

Graham Cobb

Re: Honey pot

The problem with that, for many users, is the feasibility of doing so and (more importantly) the difficulty involved in securely exchanging keys.

Indeed, although replaced in this case with the difficulty of knowing whether the service you are using is actually under the control of law enforcement (and, of course, the difficulty the LE people have in using any information they can gather without blowing that they are reading the secret comms).

One assumes that if you are a serious criminal you mostly use services where many of the people at the provider can be physically accessed (i.e. killed or seriously injured) if it turns out they are giving away your secrets! The problem is presumably that in today's international crime scene you need tools that will be trusted by two criminal enterprises in different parts of the world.

If I were a criminal mastermind, I think I would prefer to use something that is open source and widely used and work on the key distribution and update problem instead -- that is much more likely to be amenable to traditional human-based solutions that these people have much experience of.

But maybe that is why I am not!

Brit police's use of facial-recognition tech is lawful, no need to question us, cops' lawyer tells Court of Appeal

Graham Cobb

Re: Intrusive

In fact, it is clearly much more intrusive as fingerprints or DNA are mostly only left if you interact with some particular point - AFR identifies people walking down the street, interacting with nothing.

Graham Cobb

Re: So now

And what if you happen to look a bit like someone on the wanted list? It would be unreasonable and unfair that everyone who looks like someone on the list is stopped all the time even if that is a tiny minority. We must require there has to be some additional justification which would protect these unfortunate individuals from turning their honest and ordinary life into a dystopian nightmare (additional reasons might include, for example, a crime has happened nearby, or there is intelligence suggesting the particular criminal is in that area at that time).

Graham Cobb

Re: Keep a straight face.

It is obviously much more intrusive: CCTV does not (attempt to) identify people - it records images for use later if justified at THAT (later) time by reasons which are proportional, etc. For example, a crime has happened.

AFR (attempts to) identify everyone it captures - then, based on that identification, may apply some selection or proportionality requirement.

The act of trying to identify people is additional to the act of recording. The recording may be permitted under CCTV laws, but the additional act of identifying has nothing to do with the CCTV laws must require separate legal authorisation.

Former UK Labour deputy leader wants to know how the NHS's contact-tracing app will ensure user privacy

Graham Cobb

Re: It will ensure user privacy

And this is something we need not only much more information on, but also laws to limit the data the businesses can ask for, who they can pass it to, and how long it can be retained.

In particular, they MUST NOT be permitted to ask for any sort of ID, - just a name and either a phone number or an email address is all that is needed to provide contact tracing. Also they must not be permitted to attempt or ask for verification of the details (for example calling the number or sending an email). Even if some people lie, the list will provide much more information than they have for other contact tracing scenarios.

In addition, the data MUST be destroyed after a few days (less than 14) when contact tracing will no longer be needed.

Lastly, data MUST ONLY be provided to the NHS contact tracing service and only for the purpose of tracing contacts of someone with the virus, Not for law enforcement or any other purpose. That is the only way to give people the confidence to be willing to provide true information while respecting their privacy.

For years, the internet giants have held on dear to their get-out-of-jail-free card. Here are those trying to take that away

Graham Cobb

Re: Objectivity for optimal monitization

Nobody sues AT&T when someone makes threats over the phone. Facebook should be held to the same standard.

Graham Cobb

There is no "privilege". All 230 does is stop the US court system being abused. It specifies two key things:

1) If you don't like something someone says on Twitter you have to sue that person, not Twitter. That seems obvious to us in the UK but is not what normally happens in the US: in the US you don't sue the person responsible, you sue the person with most money! As the US court system is so expensive and so unpredictable, everyone prefers to sue companies with deep pockets as they are more likely to just settle and there is a chance of getting a massive payout. 230 forces people to sue the person who wrote the tweet instead, meaning many, many fewer cases.

2) If Twitter moderates your tweet, they can't be sued for their decision. That is the only thing that keeps Twitter from being much, much, much worse. Without that protection, Twitter will have a moderation policy that just says something like "we take down tweets that are terrorist or child porn related and that is it" and will not be able to delete anything else.

Even worse, the very biggest social media companies can afford enough lawyers, and large enough moderation teams, to maybe handle life without Section 230. But there will never be a new social media company: no startup can live with these two changes.

With the current law, if you want to create a right wing or left wing social media company you can do it. And when it becomes big you can use it further your views. But with these changes, this is it. You can't grow a new social media company so we are all stuck with whatever the views are of Twitter, Google, Facebook.

In Hancock's half-hour, Dido Harding offers hollow laughs: Cake distracts test-and-trace boss at UK COVID-19 briefing

Graham Cobb

Re: "......worst death toll in Europe"

I'm no defender of the government but a comparison with NZ is useless. We need to compare with countries of similar population densities, similar economies and similar ways of life.

That shows up plenty of concerns without bringing up ridiculous comparisons like NZ or Taiwan.

When open source isn't enough: Fancy a de-Googled Chromium? How about some Microsoft-free VS Code?

Graham Cobb

Re: Things we turned off

If you want to browse safely, the three steps are:

1: Install NoScript

2: Turn off SafeBrowsing

3: Engage brain and think twice three times before telling NoScript to allow javascript on any site

Legal complaint lodged with UK data watchdog over claims coronavirus Test and Trace programme flouts GDPR

Graham Cobb

Last month's solution?

Do epidemiologists even recommend Track and Trace apps any more? It feels like last month's solution. I am sure it would have been useful in the previous phase but it looks like Coronavirus is here for a long duration now. Tracing isn't a scalable solution for management of the virus for the next decade.

Assuming that society evolves to minimise airborne transmission (presumably masks), the primary vector is going to be either intimate personal contact or touching shared surfaces. Neither of which will have much use for a tracing app. It is looking like it is too late to be an effective tool, and is now just turning into a technological solution looking for a problem.

And the limited tracing resources that will be available are going to be overwhelmed for the next year by 1st workplace outbreaks, and 2nd crowd outbreaks (concerts, football matches, etc). It is clear the government cannot disallow either of those in the long term and neither is helped by an app.

Any epidemiologists here who can explain what I have missed?

Contact-tracer spoofing is already happening – and it's dangerously simple to do

Graham Cobb

Re: Quid custodio ipso cutsodes?

He is responsible for the government "optics". He forced other advisors who broke lockdown rules to resign because it looked good. He then refuses to do the same thing himself.

Worse, Boris should have taken the strong line and forced him out - he could have continued to pay him as a party advisor in party HQ but Cumming should have been forced out of Downing Street very publicly for breaching lockdown rules.

Graham Cobb

Re: Jumping the gun a bit, aren't they ?

Most contact tracing is nothing to do with the app and can begin as soon as the tracers are trained. Most of it will be contacting work colleagues.

Surely the app is only really relevant for finding contacts on public transport. Any other context you either know who your contacts are or you have not been in close proximity for any length of time (if you are following social distancing rules).

Tech set responds in wake of American protests, police violence and civil unrest

Graham Cobb

Re: The next step...

Great idea: all the top US companies withhold 3 months of campaign contributions to all politicians as a protest. And warn that they will review again in 12 months time and unless bipartisan and effective progress has been made on the issue of institutional racism nationwide it will be 6 months contributions they withhold next year.

Linus Torvalds drops Intel and adopts 32-core AMD Ryzen Threadripper on personal PC

Graham Cobb

Re: mythical Year Of Linux On the Desktop comes

Most of the apps are done: most users aren't using special software, they are using office apps, and they just about work in the cloud today, and will improve further as that is where Microsoft's office product investment is going.

My employer is a >100K people organisation and pays a lot of money to Microsoft. Our IT dept are pushing Microsoft hard to make "dumb PC working with cloud apps and data" work well enough that they can switch 90% of users to that (the remainder are developers who already use Linux). Mainly for two reasons: security (get all the corporate data of the user's device and strictly under their control), and cost of support (if something breaks - just give the user a new device and it immediately just works).

Today the biggest issues with this model are that the cloud version of the Office apps don't work quite well enough for the power users (cloud Excel is too slow for finance, cloud Powerpoint is too restrictive for marketing, etc). The other issue is that the model still doesn't work for power-travellers (sales people working from trains or planes, mom-and-pop hotels with crap internet or customer sites with no guest wifi) who need all their data and apps locally.

Once Microsoft fix those problems, our IT plan to stop supporting desktops/laptops except as cloud access devices. I am guessing 70% of users in our company will then move to a "chromebook" type of device, that is if they need a keyboard and mouse at all and can't just use a tablet.

They already offer a desktop build for that but not many depts will take it up yet.

Could it be? Really? The Year of Linux on the Desktop is almost here, and it's... Windows-shaped?

Graham Cobb

Re: @jonha - Why do you believe this ?

Microsoft have made it clear that Cloud is their future concern. They are no longer at all interested in PCs except as access platforms to cloud-based services. If they could, tomorrow, kill the Windows desktop OS and switch to using something else which is (i) supported by someone else, and/or (ii) the same as they are using on their strategic platform (cloud) they would do it.

It looks like they are busy executing on a plan to replace all their important desktop apps with cloud software so that they can leave the "desktop" business to Apple/Google for mainstream users, Sony for gamers and Linux for developers/power users (and tiny markets like industrial control). The only value they see in the desktop market is enabling controls by IT (security, cost, etc) - if they could make those tools work on a linux kernel they would move off their historic platform asap.

Open letter from digital rights groups to UK health secretary questions big tech's role in NHS COVID-19 data store

Graham Cobb

Privacy and data ownership are critical for wide support

As long as Palantir and Faculty are involved I will not be running the app. However useful (or even mandatory) it is. It is disgraceful that such privacy abusers are part of the project.

ALGOL 60 at 60: The greatest computer language you've never used and grandaddy of the programming family tree

Graham Cobb

Re: .. never used .. ?

I was using APL at IBM: two or maybe three different versions on different systems. Mostly it was on a 5100 (which also ran BASIC but we only used the APL mode) and APL/SV on a timesharing system. I think I also used APL2 on a VM/360. But it was a long time ago!

Interestingly enough - this job was nothing to do with the academic and engineering computing APL excelled at (with the inbuilt matrix and vector operations). My job was as a programmer in a sales office selling typewriters and photocopiers. The products this office sold had nothing to do with APL or even computers at all - I was employed to write programs that could be used to analyse sales statistics, create reports and create letters to send to customers with special offers.

It would probably have been better to write most of these in PL/1 or RPG II. But learning and using APL was great fun. I even played with j (as a hobbyist) for a while later on to try to recreate that time.

Graham Cobb

Re: No love for CORAL 66?

My second professional programming job was in Coral 66 (actually, PO Coral). If I remember correctly, I had to write the code on a George III system (doing my editing on a teletype as the team only had one VDU and as the most junior I was never allowed to use it). It was then compiled a while later by a batch job and I had to walk to the computer centre after a while to collect my tape to load into the SystemX prototype I was working on (and often had to cajole the operators into loading a tape, which they had ignored for the last hour, so the job could finish and I could collect my tape to take to the lab).

When I fixed the trivial bug I would find in my testing, I had to do the whole process again. About two iterations a day was fairly typical.

(My first professional programming job was in APL - that was quite fun).

Podcast Addict banned from Google Play Store because heaven forbid app somehow references COVID-19

Graham Cobb

Re: Publish Elsewhere?

I agree as long as there is an easy way to check the apk is signed by a particular key, or the key that the version it is replacing was signed by.

I have a few phones which do not have the Google Play store. Some of them are running old versions of apps that are useful to me. But if I find a new version of the app I want to be sure it has been created by the same people as my existing version and not substituted with a trojan.

Now there's nothing stopping the PATRIOT Act allowing the FBI to slurp web-browsing histories without a warrant

Graham Cobb

Re: 1st Amendement

yelling fire in a crowded theater

You are mistaken. Not only have you omitted the word "falsely" from the test, it was later overturned. See https://en.wikipedia.org/wiki/Shouting_fire_in_a_crowded_theater

In particular:

...partially overturned by Brandenburg v. Ohio in 1969, which limited the scope of banned speech to that which would be directed to and likely to incite imminent lawless action (e.g. a riot). [my emphasis]

CEO of AI surveillance upstart Banjo walks the plank after white supremacist past sinks contracts

Graham Cobb

It is difficult, but I think there are degrees of trust and degrees of rehabilitation.

If someone steals, and serves their time, it may not be unreasonable to not immediately put them in a position of trust. On the other hand, after a period of time with no further convictions, they should end up with as much trust as any other ordinary person -- that is the basis of "spent" convictions and I think it is the right thing to do. I note that even so, there may be some positions which require unusually high levels of trust, and for which special investigations are carried out even of people with no convictions -- in which case the spent conviction may become relevant.

In this case, the crime seems very severe -- it appears to have only been luck that avoided death or injury -- and so the suspension of trust should be for a considerably longer time. Also, his chosen business area (violating privacy) is one which should require an unusually high level of trust and openness, and in which his earlier crimes are particularly relevant.

If he wanted to work in this area, and I acknowledge his earlier experience might make him particularly valuable in this area, he would have done better to either choose to acknowledge his earlier crimes and try to convince the world he had reformed (and accept much closer watching of his behaviour and decisions) or take a lower level of responsibility and bring in someone else to lead the company or, at least, approve his decisions (not just offer advice).

UK finds itself almost alone with centralized virus contact-tracing app that probably won't work well, asks for your location, may be illegal

Graham Cobb

Re: Why not open source the app?

That's what I said: ...delete all my data when I think the crisis is over...

Graham Cobb

Re: Why not open source the app?

While I would like the app to be open-sourced, I don't think that will reduce my concerns significantly. The gov are clear that the app will be sending personal data to their database - what I would need is to open-source (and track) all accesses to that data.

The most worrying thing is that they won't allow me to delete my data. I might be willing to run the app, for the public good, during the crisis. But I will definitely only do that if I can delete all my data when I think the crisis is over. Including copies that have been given to "researchers".

Google is a 'publisher' says Aussie court as it hands £20k damages to gangland lawyer

Graham Cobb

Although I am also slightly torn, I understand why this has to be the case. As we know, data about people is treated very differently from other data in law in most countries. I think almost all commentators here welcome the concept of privacy and the rules around it.

Along with those come other laws which are not so widely accepted but are of the same type. These include the things like the concept of "spent convictions", as well as the "fair reporting" issues in this case.

The bottom line is that there are many laws which affect what can be stored in or reported in a dossier about a person. If I ask an agency to prepare a dossier on a potential hire for me they are not allowed, under law, to include things like spent convictions, and would be clearly committing libel if they included this lawyer's charge without mentioning his exoneration.

Nowadays there is no reason to go to an agency to ask them to prepare a dossier: you just use a search engine. So, to protect both the subject and the opportunity for research agencies to compete, it is clear that search engines must be forced to apply the relevant privacy and other rules when providing information about people.

Bottom line: if you search for things other than people you can reasonably expect a search engine to provide a list of pages matching the search term. But if your search is about people the search engine must apply the relevant country-specific laws about providing personal information.

Nine million logs of Brits' road journeys spill onto the internet from password-less number-plate camera dashboard

Graham Cobb

Re: If I lived there

Can I log a data protection query to find out if my registration number was stored on the database before it was secured?

Can everyone in the country?

How about the council just sending an apologetic letter, and a compensation payment (in lieu of having to handle all these requests and an ICO fine), to the registered owner of every vehicle which was stored in the database at any time before it was secured?

That might start to concentrate minds on whether it was worth doing in the first place.

Graham Cobb

Re: No login details or authentication of any sort was needed to view and search the live system

Yep. They can be sent to prison for H&S failures. Data protection, particularly if systematic, or large numbers of people are affected, should be treated as severely.

Graham Cobb

Re: Massive invasion of privacy

right-wing = evil, left-wing = good

You need to go back to your Politics 101 course: you have the wrong axis.

Economic policies are one way to analyse politicians, and leads to the left-right dichotomy. The analysis that I take into account, however, is authoritarian-liberal. That axis is perpendicular to left/right.

There are plenty of left-leaning and right-leaning politicians who are authoritarian (after all, telling people what to do is very likely to attract those people!). Fortunately, there are also some left-leaning and right-leaning politicians who are liberal. Not enough, though.

ANPR should be banned, or at least limited to destroying all data after at most 24 hours.

Stripe is absolutely logging your mouse movements on websites' payment pages – for your own good, says CEO

Graham Cobb

Re: Prevent fraud ?

Well, I hope you and your colleagues are getting busy on how to replace this with an alternative fraud protection scheme which is clearly visible, stores no private information and gets pre-approval from the user.

Because, now it is known, I will certainly be taking counter-measures and I am sure we will soon see the equivalent of the canvas and audio fingerprint defenders being created for this. Personally I have removed stripe.js from my whitelist and will now only enable it for a very limited time and only on payment pages (like I do with some other payment providers who I already did not trust).

Of course, a vendor is welcome to then disallow me to purchase from them. If they can afford the hit to their revenue stream from disallowing all of us who turn on these blockers.

Sorry, but fraud protection does NOT magically override privacy or other considerations unless you get prior, informed approval.

We lost another good one: Mathematician John Conway loses Game of Life, taken by coronavirus at 82

Graham Cobb

Like, the set in which every polynom of the set have a first root product of the set, unlike with the real set of numbers ?

I think what you are saying there is more usually said in English as:

The set in which every polynomial function has roots in the set, unlike the Reals (in which x^2+1 has no roots, for example).

If so, you are referring to what are called, in English, the Complex numbers (basically by starting with adding the square root of -1 to the set). If so, no, Conway did not invent those.

The Surreal numbers basically add infinite numbers (starting with adding a number to represent countably infinite - the size of the set of integers - but it rapidly gets more complicated).

Graham Cobb

Re: Conway in Cambridge

Great reminiscences, Paul. He was a fellow of my college (Caius) and I saw him around college, but I only met him to talk to a few times. He was my supervisor for the (undergraduate) Rings & Modules course (one term) and he came to a few of the College Maths undergraduate annual dinners. I still have an origami peacock he made at one of those dinners.

Although my main mathematical interest was algebra and number theory, it was his rings and modules supervisions which convinced me that I would not look to become an academic mathematician. His explanations and insights into groups were wonderful but I just didn't have quite the insight necessary. I did know one of his graduate students quite well, who was working on what became the Atlas, and he would give us updates on work on the sporadic groups.

I did enjoy Surreal Numbers - I think it came out while I was there and it helped seal Conway's reputation among the (mathematical) public. It was a great time to be at Caius (1979-1982), with the world's best Pure and Applied mathematicians in the college (Conway and Hawking), seeing them around and even talking to them occasionally. I seem to remember that they alternated attending the mathematical dinners - certainly both did attend at least once during my time.

Bose shouts down claims that it borked noise cancellation firmware to sell more headphones

Graham Cobb

Re: I will never buy Bose headphones again

I have not bought a single HP product since 2002 due to them kickstarting the abuse of the DMCA in the SnoSoft case. Bruce Perens may have forgiven them but I did not. I swore I would never buy another HP product and have never done so. I even wrote to Carly Fiorina asking her to put the full weight of HP behind a campaign to repeal the DMCA but she chose not to answer or to act.

I have not bought any Sony product, of any type, since 2005 due to the Sony rootkit. I took the view that working in the computer business I could not do business with any company which deliberately tried to breach computer security on such a massive scale.

Yes, in both cases, there have been many products which I would have liked to use but companies must remember that actions have consequences. Of course, they do not owe me anything but neither do I owe them anything. I will not be doing business with either of them. Ever.

Who's going to pay for Britain's Aunty Beeb to carry on? Broadband users, broadcaster suggests to government

Graham Cobb

The issue isn't so much the money, it is the commercialism.

The BBC which I value is one which makes shows that are not commercially viable: that cater for minority interests, offer unpopular viewpoints, appeal to limited age groups (all of them, but in narrow bands).

I value the BBC specifically because I only want to watch a small part of what it produces.

Its value is in producing content which commercial broadcasters won't touch.

Cloudflare is over the moon because its pro-privacy 1.1.1.1 DNS service got a clean bill of health from everyone's favorite auditor – KPMG

Graham Cobb

Re: Not yet, at least

Good point, but I still commend Cloudflare for taking that (current) position.

I am beginning to wonder if, with that position, using their DoH service might actually be better than rolling my own? I am currently intending to run a DoH service on my own (internet-visible) server, backed by my own recursive resolver (not forwarded to another resolver).

However, that makes the fact that I (the server owned in my name, with a static IP, running DoH) am looking up that name visible to all the servers I touch during the resolution (and potentially visible to other players like the networks my server transits to get to those servers).

If I use Cloudflare's DoH service then, obviously, Cloudflare know that I (or actually, my end device, which is probably behind carrier-grade NAT somewhere) looked up that name. But nothing else knows: my communication with Cloudflare is encrypted and the nameservers involved only know Cloudflare's DoH server looked up the name.

Interesting that using their service might actually end up being more private than rolling my own.

Apple: Relax, we're not totally screwing web apps. But yes, third-party cookies are toast

Graham Cobb

Re: Progress

I disagree. Take a simple example: if I store data in a web service (such as mail, dropbox, nextcloud, etc) I want to encrypt it so the service can't read it - with a key under my control and not stored in the web service.

So, I need to keep the key somewhere safe: my phone may well be that place. I trust that to be in my possession a lot more than I trust a web service to promise that it isn't going to read my documents. For some levels of desired confidentiality and reliability (which are mostly traded off between each other in this sort of scenario), storage on my device, but visible to an app I run there may be exactly what I want. After all, Lastpass may be great, but it isn't designed for storage of 2048-bit encryption keys.

If I specifically authorize a particular app to store data locally it should be able to store it as long as I want. What we need is to make sure is that is not available to apps by default, and that it is easy to review which apps are storing data, how much, and for how long.

Thought you'd go online to buy better laptop for home working? Too bad, UK. So did everyone. Laptops, monitors and WLANs fly off shelves

Graham Cobb

Re: and desks and chairs at IKEA

Apart, of course, from never knowing, in Swedish, whether a K followed by a vowel is pronounced "sh" or "c". And even the g-as-y thing occasionally changes.

Hong Kong makes wearable trackers mandatory for new arrivals, checks in with ‘surprise calls’ too

Graham Cobb

Re: I don't have a problem with this

I know nothing about the system but I haven't seen anything to suggest the wristband is at all involved in the tracking. The phone obviously does all the tracking, the wristband is just to make sure you are physically near the phone.

So, yes, the wristband currently makes it obvious you are being tracked. But this is an excellent test for the real deployment which is tracking through the WeChat app without you being aware.

Looming ventilator shortage amid pandemic sparks rise of open-source DIY medical kit. Good thinking – but safe?

Graham Cobb

I thought the article said that the 3D printed copy was a disposable device that only lasted a few hours (unlike the $11,000 version). Whether that level of unreliability and required monitoring works for the medical staff is a decision they would have to make.

US prez Donald Trump declares America closed to those flying in from Schengen zone over coronavirus woes

Graham Cobb

Re: So has the fat idiot not heard of Heathrow or other UK airports?

In general, lying to Immigration officers is a bad plan. They have access to a lot more information than they admit to, and the costs of being found out lying is serious: as well as immediate penalties you are unlikely to be able to ever enter the country in the future.

House of Lords push internet legend on greater openness and transparency from Google. Nope, says Vint Cerf

Graham Cobb

Re: Circular argument

It will be fun to see what emerges when Google realises it has to do an Intel: make sure it maintains a competitor that is big enough to appease the regulators but not big enough to threaten its business.

In video I don't expect anything interesting: it will just make sure Vimeo grows a bit, and maybe make sure there is a niche in which Vimeo can be the leader but never make too much money from (so not porn or music, then - maybe handyman videos?).

But in search it might be interesting. It is hard to be a bit-player in search: it takes such a fantastic investment to have internet-wide search coverage. Maybe it is hoping that letting DuckDuckGo, Startpage and searx operate "privacy-preserving" search by screen-scraping Google will be enough to satisfy regulators.

Firefox now defaults to DNS-over-HTTPS for US netizens and some are dischuffed about this

Graham Cobb

Re: Well, there goes home internet filtering

And you don't think your kids know how to change the DNS settings on the PC?

Graham Cobb

Re: It's straightforward to roll your own DNS-over-HTTPS

there is no way you can force applications to use your DoH resolver

But that statement is true whether or not Firefox use DoH. Any application (or even any javascript running in any browser window) can decide it will do name-to-address translations using their favourite web site if they want. Even if there was no such thing as a DoH spec, Firefox or Cloudflare in existence.

Firefox implementing it means the vast majority of those apps will just let FF do the lookup for them and so give me controls to send that to my own server. It changes nothing for the ones who are going to their own DoH server,

Now Internet Society told to halt controversial .org sale… by its own advisory council: 'You misread the community mindset around dot-org'

Graham Cobb

Re: The bloody obvious

If the backlash causes real change, including Trustees selected by Chapters and Members, and the replacement Trustees being clearly determined to protect .org as well as concentrate on the international internet agenda, then it might be worth staying.

Unfortunately, I do not expect that to happen, and I think ISOC is probably dead.

Graham Cobb

Re: The bloody obvious

@JohnFen Assuming your question was not just rhetorical, this is why I think that...

I do not know any of the people involved or any inside information - in fact I mostly only know what has been discussed on the Internet Policy list. I strongly disagree with Andrew Sullivan but I have seen no evidence, even from his biggest critics, that he has acted improperly and his actions appear to be consistent with the job he is paid to do, although I believe he has made the wrong decision.

I mostly blame the Trustees. Their job is to review the decisions of the CEO and to consider the whole impact on the goals, reputation and future of ISOC. It disturbs me that they have not published minutes and other documents, and it worries me that, apparently, there was no opposition to the deal amongst the Trustees. However, again there is absolutely no evidence of any corruption (and little likely benefit to any of them) - and several of them are long term Internet people with good reputations. I think they have been guilty of naivety and short-termism, and have probably been over-worried about their responsibility for long-term funding of IETF and too little concerned with what I consider the important goals of ISOC (international Internet issues).

I have not considered the people on the Ethos side of things. To be honest, I have little information and I assume their goals to be the worst. But my comment wasn't about them.

Ethos have made a very tempting offer to ISOC to secure their financial future. I am not surprised the staff (up to and including the CEO) felt it could not be turned down. However, the Trustees have failed all of us who care about ISOC. When ISOC is replaced, we (the international community) must do a better job of having Trustees which properly consider the international internet, not just IETF funding.

Graham Cobb

Re: The bloody obvious

Personally I believe the assertions by the ISOC trustees and staff that there is no personal gain or corruption involved and that they thought they were acting in the best interests of the society. I think they naively saw a generous opportunity to secure the financial future of the society.

However, they apparently missed the fact that this would destroy ISOC - leaving it with plenty of money but no way to achieve its aims as its constituency of supporters (particularly those outside the US) leave and governments and regulators perceive it to now be irrelevant.

I am not alone in planning to leave ISOC if this transaction goes through. I would expect a significant number of the existing chapters and members would support setting up a new society to promote the goals ISOC was supposed to promote.

Forcing us to get consent before selling browser histories violates our free speech, US ISPs claim

Graham Cobb

Re: "they have unique record of all sites visited that ad companies will not have"

Yes, but we all have the option of not using Google's services. Companies like Mozilla seem to be trying to make sure that it is easy for non-experts to avoid many of those Google services if they want to.

I plan to run my own DoH server but I would certainly prefer Cloudflare over Google (at least until Cloudflare change their business model).

Graham Cobb

Re: Judgement

No, there is no reason the law cannot target ISPs. Don't forget that this is the US, so ISPs are, in many areas, actual monopolies and, everywhere else, effective monopolies. Here (anywhere else in the world) we have a competitive market for ISPs (mostly based on local loop unbundling) so we can choose an ISP based on privacy, if we wish.

So, clearly, if the legislators' goal is to allow people the option of using the internet without being tracked then ISPs can be legitimately targetted. If they want to not be targetted they need to allow effective competition with a large number of competitors.

They are also able, if they wish, to compete with the FAANGs by creating separate companies, not receiving any data from their ISP business - just like those companies do.

Crypto AG backdooring rumours were true, say German and Swiss news orgs after explosive docs leaked

Graham Cobb

Re: dead-dropping

Doesn't sound any better than just leaving the SD card in a flowerpot outside said McDonalds. If the opposition know it is there it is trivial for them to replace with their own hotspot and capture all sorts of info about the device which connect to it. If they don't, then the sdcard on the ground is just as good.

MWC now means 'Mostly Without Companies', as Nokia, HMD Global, Facebook, and BT drop out

Graham Cobb

It's gone

Cancelled altogether. And apparently without the "health emergency" they wanted.

Page:

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER

Biting the hand that feeds IT © 1998–2020